Deep technical dives on application security, infrastructure scanning, SAST, secrets management, and the mechanics of building secure software pipelines — no marketing fluff.
Most IaC scanners run against your working directory — but Terraform modules sourced from Git are fetched at terraform init time, in the wrong place, or never at all.
npm audit only reads your lockfile. It has no idea about the jQuery 1.11 sitting in your static folder since 2015. Here is what it misses and how to actually find it.
Untrusted input flowing through ${{ github.event.issue.title }} into shell commands is a class of injection that static analysers routinely overlook.
Rotating a leaked key in your current branch does nothing to the commit SHA where it lived. Here is how attackers recover rotated secrets from public repositories — and how to actually remediate.
A CVE in a direct dependency gets patched. The vulnerable version stays in your lockfile via an indirect transitive path your scanner never flags.
Admission webhooks that fail-open during outages create a narrow window where unsigned, unscanned images bypass your entire security policy chain.
Modern prototype pollution chains through gadgets in popular frameworks in ways that rule-based SAST engines simply cannot model. Here is the gap.
RUN rm .env doesn't remove the secret from the image — it just hides it behind a whiteout file. Every previous layer is still there, still readable. Here is the extraction proof and the correct fix.
SSRF against 169.254.169.254 hands attackers temporary IAM credentials — no authentication required. Complete exploit chain, IMDSv2 limitations, and how to actually block it.
Three JWT attack classes that still work in production codebases: the alg:none bypass, the RS256-to-HS256 confusion attack using the public key as the HMAC secret, and kid parameter injection.
Generating a CycloneDX or SPDX SBOM checks the compliance box. Using it for continuous vulnerability management is a different problem. VEX integration, policy-as-code gates, and diff-based alerting — the full operational model.
Your CI/CD pipeline runs untrusted code with access to production secrets. Malicious pull requests, mutable Action tags, cache poisoning, and self-hosted runner compromise — the complete threat model and hardening checklist.
Step-by-step techniques to detect malicious code, obfuscated scripts, and embedded binaries in Git repos — using grep, YARA, ClamAV, Trivy, and git log forensics.
Set up static analysis with Semgrep, CodeQL, and Bandit in GitHub Actions and GitLab CI. Learn how to block builds on high-severity findings and reduce false positives.
Compare Trivy, Grype, and Docker Scout for container image scanning. Includes CI gate patterns, SBOM generation, and base image hardening strategies.
Detect leaked API keys, tokens, and credentials using grep patterns, Trufflehog, and Gitleaks. Set up pre-commit hooks and CI gates to prevent future leaks.
Plain-English guide to Software Bills of Materials: what they are, why Log4Shell made them essential, the difference between CycloneDX and SPDX, and how to generate one today.
All 10 OWASP Top 10 (2021) vulnerabilities explained with real vulnerable code, working exploits, and fixed versions — from injection and broken auth to SSRF and supply chain risks.
CI/CD scanning catches vulnerabilities minutes before merge. IDE scanning catches them seconds after they are written. The feedback loop difference changes developer behaviour permanently.
At a handful of repos, scanning is a CI config problem. At ten thousand, it is a distributed systems problem. Architecture, tooling, and process strategies for enterprise-scale AppSec.
Practical guide to SAST, SCA, secrets scanning, and IaC integration in GitHub Actions and GitLab CI — with real configuration examples and security gate patterns that actually block.
"SCA" and "dependency scanning" are used interchangeably in vendor marketing — but they describe different scopes. Understanding the difference determines whether your programme covers what you think.
LLMs generate code that looks correct but is often insecure. Hardcoded secrets, SQL injection via string interpolation, disabled SSL verification — the specific patterns AI code generators produce.
By the time a secret reaches CI/CD, it has already been committed to Git history. Git history is permanent. Secret and PII scanning must happen before the first commit.
IaC scanners apply static analysis to Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles — catching misconfigurations before infrastructure is provisioned. Tools, techniques, and CI/CD patterns.
SAST covers some OWASP categories well and others not at all. A detailed breakdown of which require DAST or SCA — and what a complete OWASP compliance programme actually looks like.
SAST, DAST, IAST, SCA, secrets, IaC, container, malware — every scanner type explained in plain English, with what each finds, what it misses, and when to use it.
DAST finds vulnerabilities SAST cannot — DOM-based XSS, auth bypass, race conditions, session fixation — because it tests the actual running application. How to integrate DAST into your pipeline.
Copilot, Cursor, Claude, GPT-4o, Gemini — compared on code quality, security awareness, context handling, and real-world productivity. Which AI coding assistant is best for security-conscious teams?
Vibe coding ships products fast — but does it ship secure products? An evidence-based assessment of the vulnerability patterns AI-generated code introduces and how to mitigate them.
AI generates Terraform modules, reviews drift, and automates deployments — but introduces new IaC security risks. What is genuinely useful, what is dangerous, and how to keep AI-generated infrastructure secure.
AI can scaffold a full application in under an hour. But the security debt it creates — BOLA, hardcoded secrets, broken auth — can take months to pay down. How to measure the real cost.
AI coding is transformative but experienced engineers use it selectively. Context windows, edge cases, security blind spots, and maintainability debt — the real limits of AI-first development.
AI can accelerate every phase of the SDLC — from requirements and threat modelling to code review and deployment — without sacrificing security. A practical blueprint for AI-augmented secure development.
Prompt injection, training data poisoning, model extraction, adversarial examples, supply chain attacks — the attack classes that target AI systems and how to defend against them.
AI-generated code has distinctive structural, stylistic, and security patterns. Learn how to detect it in your codebase and why knowing changes how you should approach security review.
SQL injection is still one of the most exploited vulnerabilities on the web. Learn how attackers use it to dump databases, bypass auth, and take over servers — and how parameterized queries stop it cold.
Reflected, stored, and DOM-based XSS all let attackers run JavaScript in your users' browsers. Here's how each variant works, with real payloads, and why Content Security Policy is your best defence.
Broken access control is the #1 vulnerability on the OWASP Top 10. Learn how IDOR (Insecure Direct Object Reference) attacks work, why automated scanners miss them, and how to add server-side ownership checks.
APIs are the attack surface that keeps growing. This guide covers the OWASP API Top 10, JWT algorithm confusion, mass assignment, and how to automate API security testing in your CI/CD pipeline.
Prompt injection is the new SQL injection — and most teams building AI features don't know they're already vulnerable. Learn how direct and indirect injection work in LLM-powered apps and how to defend against them.
SolarWinds, Log4Shell, XZ Utils — supply chain attacks are on the rise. Here's exactly how dependency confusion, typosquatting, and build system compromise work, and what SBOMs actually help with.
Running containers as root, using outdated base images, storing secrets in ENV vars — these are the mistakes that turn a Docker deployment into a breach. Learn what to fix and how to scan for it automatically.
Hardcoded API keys and passwords committed to Git repositories cause some of the biggest breaches every year. Learn how attackers find them, why rotating isn't enough, and how pre-commit hooks and vaults prevent them.
"Never trust, always verify" is more than a slogan — it's a complete architectural shift. This guide explains the three pillars of Zero Trust, how micro-segmentation works, and what a real implementation roadmap looks like.
Open S3 buckets, IAM wildcard permissions, public RDS snapshots — cloud misconfiguration causes more breaches than zero-days. Learn the most dangerous misconfigs, how attackers find them in minutes, and how CSPM tools help.
Fixing a vulnerability in production costs 30x more than fixing it during development. DevSecOps is about embedding security into every stage of the pipeline — here's exactly how to do it with real GitHub Actions YAML examples.
Ransomware isn't just an IT problem — it's a software security problem. Learn the attack kill chain from initial access to encryption, how double extortion works, and the specific developer practices that reduce your blast radius.
Pen testing isn't the same as vulnerability scanning. This guide explains the difference, walks through the five phases of a real penetration test, and shows how automated DAST tools bridge the gap for teams without a red team.
A CVSS 9.8 score doesn't always mean "fix immediately" — context matters. This guide explains how CVSS scoring works, what EPSS adds, and how to prioritise a backlog of hundreds of CVEs without burning out your team.
CSRF tricks authenticated users into making requests they never intended. Learn how the attack works step by step, why it bypasses traditional auth, and how SameSite cookies and CSRF tokens are your two-line fix.
OWASP A02 isn't about accidentally exposing data — it's about shipping broken or missing cryptography. MD5 passwords, hardcoded keys, verify=False in HTTP clients, ECB mode. Here's what to actually fix.
Debug mode on, default credentials, exposed admin panels, missing security headers — security misconfiguration is the most common vulnerability OWASP records and the easiest to prevent with the right automation.
XXE exploits insecure XML parsers to read server files, trigger SSRF, and exfiltrate data out of band via DNS. If your app processes XML — SOAP, SVG uploads, document imports — and you haven't hardened your parser, you're likely vulnerable.
Pickle.loads with user input, Java ObjectInputStream without filters, PHP unserialize — these don't just crash your app. They hand an attacker a shell. Here's how gadget chains work and how to eliminate the risk.
../../../etc/passwd is the obvious payload — but URL encoding, double encoding, and null bytes bypass naive filters. The fix isn't filtering dots; it's canonicalising the path and verifying it stays inside your base directory.
shell=True with user input. exec() with a template string. These are how command injection happens — and the fix is using subprocess list form, not trying to escape metacharacters. Here's everything you need to know.
Credential stuffing works because users reuse passwords. Weak session IDs are enumerable. Predictable reset tokens are brute-forceable. This post covers the full spectrum of authentication failures and what modern apps should do instead.
BOLA is the number one API vulnerability — and it's just a missing user ownership check. Mass assignment sets fields attackers shouldn't touch. This guide walks through all 10 OWASP API risks with concrete code examples.
Negative quantities that trigger refunds. Race conditions that let a coupon be used twice. Workflow steps you can skip to get premium access for free. These flaws are syntactically correct code implementing the wrong rules.
Clickjacking layers your site in a transparent iframe and tricks users into clicking things they can't see. X-Frame-Options or CSP frame-ancestors stops it completely. Here's how the attack works and why JavaScript frame-busting doesn't cut it.
63% of security teams are using AI copilots for real-time security feedback in developer IDEs. Here's how these tools work under the hood, which vulnerability patterns they catch reliably, and how to integrate them without killing developer velocity.
Bearer tokens are stolen and replayed every day. Sender-constrained tokens with DPoP and mTLS bind credentials to the client — a stolen token is useless without the private key. Learn how to implement both.
SBOMs tell you what's in your software. Sigstore, SLSA, and in-toto attestations tell you whether it was tampered with. After the GhostAction attack in 2025, provenance verification is no longer optional.
Security Misconfiguration jumps to #2, a brand new A10 Exceptional Conditions category appears, and the data methodology changed. Here's the full breakdown of what's different in the 2025 edition and what your programme needs to update.
70% of enterprise codebases now contain AI-generated code. Copilot and other LLMs reliably get cryptography, error handling, and injection wrong in ways that classic SAST rules aren't tuned to catch. Here's what to do about it.
Employees are deploying Model Context Protocol servers without IT oversight, giving AI agents access to production databases, file systems, and APIs. Shadow MCP is 2026's shadow IT problem — and it's already in your environment.
WAFs guard the perimeter but they can't see inside your running application. Runtime Application Self-Protection instruments your code to block exploits from within — catching zero-days that WAF signatures will never catch.
Log injection lets attackers write fake log entries — making it look like they were never there, or framing other users. With CVEs in Django and Envoy Gateway in 2025, this underestimated attack class deserves a proper look.
Quantum computers will break RSA and ECC. The harvest-now-decrypt-later threat is real today — adversaries are recording encrypted traffic now to decrypt later. NIST finalised its post-quantum standards in 2024. Here's your migration guide.
Overpermissive RBAC is the #1 way attackers escalate from a compromised pod to full cluster ownership. Here are the wildcard traps, dangerous permission combinations, and privilege escalation chains we find in almost every Kubernetes assessment.
OAuth 2.0 is everywhere but almost nobody implements it correctly. Open redirects steal auth codes, missing state parameters enable CSRF, tokens leak in referrer headers, and PKCE implementations have bypassable edge cases.
AI remediation engines are now generating merge-ready patches from scanner findings. How they work, what they get right, what they get dangerously wrong, and how to build an approval gate that keeps humans in the loop.
GPT-4o, Claude, and Gemini can generate security remediation pull requests from vulnerability reports. The output looks convincing — but the correctness rate varies wildly by vulnerability class. Here's the data.
Most SAST findings are noise. AI triage classifiers trained on your codebase context can suppress false positives with 90%+ precision — here's how to build and validate one without introducing blind spots.
Autonomous security agents can detect a vulnerability, understand its context, generate a fix, open a PR, and monitor the deployment — without human intervention. The architecture, risks, and guardrails you need.
npm audit fixnpm audit fix blindly upgrades. AI remediation understands breaking change risk, API compatibility, and test coverage before proposing a version bump. The difference matters at scale.
From a raw CVE identifier to a reviewed, tested, merge-ready pull request — entirely driven by AI. The pipeline design, the LLM prompting strategy, and the human-in-the-loop checkpoints you must never skip.
AI can generate a STRIDE threat model from an architecture diagram and then produce prioritised remediation recommendations — closing the gap between threat identification and actual code fixes.
Traditional SOAR playbooks require months of manual authoring and break whenever environments change. AI agents that understand intent, not just rules, can replace brittle playbooks with adaptive response.
Security backlogs grow because findings arrive faster than engineers can remediate them. Continuous auto-remediation flips the model — every finding triggers an automated fix attempt before it reaches the backlog.
tfsec flags an open security group. An AI agent understands the intent of the resource, generates a least-privilege fix, validates it with terraform plan, and opens a PR — in under two minutes.
Detecting a leaked secret is the easy part. Rotating it, updating all consumers, and re-deploying without downtime is the hard part. AI agents can orchestrate the full rotation workflow — here's how.
CVSS scores tell you theoretical severity. EPSS predicts exploitation probability. LLMs understand your codebase context. Combining all three produces a remediation queue that matches real-world risk — not spreadsheet risk.
GitHub Actions turns your repository into a fully automated CI/CD platform. Learn how workflows, jobs, steps, and triggers work — and how to build your first pipeline from scratch.
GitLab CI/CD jobs are the atomic units of your pipeline. Learn how to configure stages, jobs, artifacts, caching, and rules in .gitlab-ci.yml — from first pipeline to advanced patterns.
Your CI/CD pipeline is where shift-left security happens. Learn how to integrate SAST, SCA, secret scanning, container scanning, and DAST into your delivery pipeline — without slowing teams down.
What separates a mature DevSecOps platform from a collection of scanning tools? This guide breaks down the capabilities, integrations, and cultural practices that define an ideal DevSecOps solution.
Jenkins is powerful but exposes significant attack surface when misconfigured. Learn how to harden Jenkins controllers, secure credentials, lock down plugins, and integrate security scanning into Jenkinsfiles.
A mature Secure SDLC embeds security at every phase — design, development, testing, and deployment. Here is what each phase looks like when security is genuinely integrated rather than bolted on.
Secure SDLC and DevSecOps are often used interchangeably — but they represent different eras of thinking about software security. Here is how they differ and how they relate to each other.
The later a vulnerability is found in the SDLC, the more it costs to fix. Shift left security moves detection to design, coding, and CI/CD — before vulnerabilities reach production.
GitHub Actions runs with access to your secrets, code, and cloud environments. Learn how to lock down permissions, pin actions to SHAs, use OIDC tokens, and prevent workflow injection attacks.
Attackers target your CI/CD pipeline, not just your code. Learn how dependency confusion, malicious actions, build poisoning, and artifact tampering work — and how to defend against each.
GitLab includes SAST, DAST, SCA, secret detection, and container scanning built in. Learn how to configure each scanner, understand their real limitations, and fill the gaps.
You can't improve what you don't measure. Learn the DevSecOps metrics that matter — MTTR, vulnerability escape rate, security debt, false positive rate, and developer adoption.
We publish one deep-dive per month on application security, IaC scanning, DevSecOps tooling, and vulnerability research. Engineers only.