Recording of my talk at code.talks 2024 on vulnerability management. Nazneen and I dive into the challenges that scale and rate of change impose on our vulnerability management program and relive key decisions on our journey to building a robust, scalable, automated security framework that embraces a vast technology estate, autonomous teams, and competing priorities. ...

>> Read more ...

Updating dependencies is a chore at best and a source of vulnerabilities at worst. Let's look at a better way with Github Actions and Dependabot, and examine the pros and cons. ...

>> Read more ...

Handling secrets plagues many teams. Most fail to avoid plain-text repos and have to rely on Talisman and other faulty tools. gopass offers a better way. ...

>> Read more ...

Google Calendar does not offer rule-based uncluttering, but Apps Script offers a workaround. ...

>> Read more ...

AWS finally delivered a way to connect to EC2 without exposing a public IPv4 address ... ...

>> Read more ...

How to take full advantage of your yubikey... all the way down the rabbit hole. ...

>> Read more ...

A quick explainer on how effectively work with Python in the CLI. ...

>> Read more ...

What it takes to make the iPad a development machine in 2021. ...

>> Read more ...

Using Python Data Classes for stupidly simple configuration parsing ...

>> Read more ...

In this post, we explore what it takes to create a secure software delivery lifecycle. The reader learns how risk and security are related, which development practices need to be taken into account, what it takes to support a secure application in production. ...

>> Read more ...

This is the third post of the Rational Security series. We're drilling down into the tools to map out the systems with respect to security. In this post, we are taking a look at using data-flow diagrams and attack trees to understand failure domains and proactively address security needs. ...

>> Read more ...

This is the second post of the Rational Security series. In this post, we are taking a look at high-level threat modeling to capture stakeholders' concerns by looking at our operation holistically from a 30000 feet view. ...

>> Read more ...

This is the first post of the Rational Security series, in which we introduce tools to rationally reason about the security requirements of the systems we build. In this post, we are taking a closer look at why we're still building systems that suck and why we're fetishizing the attacks instead of thinking rationally ...

>> Read more ...

As consultants, most of our job revolves around communication in various shapes and forms. The SCARF model allows us to be adaptive when the stakes are high ...

>> Read more ...

After reading this blog post, you should be familiar with a couple of simple mechanisms to provide a safer web experience for everyone ...

>> Read more ...

This was written way back in 2013 when the GCD was still new, but finally decided to put it on my blog since I kept coming back ...

>> Read more ...

This was written way back in 2012 when manual memory management was still a thing, but finally decided to put it on my blog since ...

>> Read more ...

I listened to many good talks at the 31st Chaos Communication Congress in Hamburg (GER) last December. I was especially impressed by ...

>> Read more ...