From Chaos to Calm – Vulnerability Management for a Dynamic, Sprawling Technology Estate

Nov 20, 2024

Recording of my talk at code.talks 2024 on vulnerability management. Nazneen and I dive into the challenges that scale and rate of change impose on our vulnerability management program and relive key decisions on our journey to building a robust, scalable, automated security framework that embraces a vast technology estate, autonomous teams, and competing priorities. ...

>> Read more ...


Evergreen Dependencies With Dependabot and GitHub Actions

Jun 27, 2024

Updating dependencies is a chore at best and a source of vulnerabilities at worst. Let's look at a better way with Github Actions and Dependabot, and examine the pros and cons. ...

>> Read more ...


Using gopass for Secrets Management, Infrastructure Automation, and Continuous Deployment

Apr 24, 2024

Handling secrets plagues many teams. Most fail to avoid plain-text repos and have to rely on Talisman and other faulty tools. gopass offers a better way. ...

>> Read more ...


Rule-Based Auto-Decline for Your Google Calendar

Apr 2, 2024

Google Calendar does not offer rule-based uncluttering, but Apps Script offers a workaround. ...

>> Read more ...


Stop Using Bastion Hosts on AWS!

Mar 12, 2024

AWS finally delivered a way to connect to EC2 without exposing a public IPv4 address ... ...

>> Read more ...


Yubikey Madness

Aug 29, 2022

How to take full advantage of your yubikey... all the way down the rabbit hole. ...

>> Read more ...


Engineering Python in the CLI in 2021

Jun 25, 2021

A quick explainer on how effectively work with Python in the CLI. ...

>> Read more ...


Python and JS Development From the iPad With AWS EC2

Feb 10, 2021

What it takes to make the iPad a development machine in 2021. ...

>> Read more ...


Lightweight Python Environment Configuration

Feb 7, 2021

Using Python Data Classes for stupidly simple configuration parsing ...

>> Read more ...


Towards a Secure Path to Production

Jun 4, 2020

In this post, we explore what it takes to create a secure software delivery lifecycle. The reader learns how risk and security are related, which development practices need to be taken into account, what it takes to support a secure application in production. ...

>> Read more ...


Rational Application-Level Threat Modeling

May 3, 2018

This is the third post of the Rational Security series. We're drilling down into the tools to map out the systems with respect to security. In this post, we are taking a look at using data-flow diagrams and attack trees to understand failure domains and proactively address security needs. ...

>> Read more ...


Rational High-Level Threat Modeling

May 3, 2018

This is the second post of the Rational Security series. In this post, we are taking a look at high-level threat modeling to capture stakeholders' concerns by looking at our operation holistically from a 30000 feet view. ...

>> Read more ...


An Introduction to Rational Security

May 3, 2018

This is the first post of the Rational Security series, in which we introduce tools to rationally reason about the security requirements of the systems we build. In this post, we are taking a closer look at why we're still building systems that suck and why we're fetishizing the attacks instead of thinking rationally ...

>> Read more ...


Planning Non-Confrontational Interactions

Apr 17, 2018

As consultants, most of our job revolves around communication in various shapes and forms. The SCARF model allows us to be adaptive when the stakes are high ...

>> Read more ...


Webapp Security 101

Oct 16, 2015

After reading this blog post, you should be familiar with a couple of simple mechanisms to provide a safer web experience for everyone ...

>> Read more ...


Grand Central Dispatch

Aug 5, 2015

This was written way back in 2013 when the GCD was still new, but finally decided to put it on my blog since I kept coming back ...

>> Read more ...


Automatic Reference Counting

Aug 5, 2015

This was written way back in 2012 when manual memory management was still a thing, but finally decided to put it on my blog since ...

>> Read more ...


Why Alice Has a Problem if Bob Can’t Encrypt

Jan 27, 2015

I listened to many good talks at the 31st Chaos Communication Congress in Hamburg (GER) last December. I was especially impressed by ...

>> Read more ...