Deep technical dives on application security, infrastructure scanning, SAST, secrets management, and the mechanics of building secure software pipelines — no marketing fluff.
Most IaC scanners run against your working directory — but Terraform modules sourced from Git are fetched at terraform init time, in the wrong place, or never at all.
npm audit only reads your lockfile. It has no idea about the jQuery 1.11 sitting in your static folder since 2015. Here is what it misses and how to actually find it.
Untrusted input flowing through ${{ github.event.issue.title }} into shell commands is a class of injection that static analysers routinely overlook.
Rotating a leaked key in your current branch does nothing to the commit SHA where it lived. Here is how attackers recover rotated secrets from public repositories — and how to actually remediate.
A CVE in a direct dependency gets patched. The vulnerable version stays in your lockfile via an indirect transitive path your scanner never flags.
Admission webhooks that fail-open during outages create a narrow window where unsigned, unscanned images bypass your entire security policy chain.
Modern prototype pollution chains through gadgets in popular frameworks in ways that rule-based SAST engines simply cannot model. Here is the gap.
RUN rm .env doesn't remove the secret from the image — it just hides it behind a whiteout file. Every previous layer is still there, still readable. Here is the extraction proof and the correct fix.
SSRF against 169.254.169.254 hands attackers temporary IAM credentials — no authentication required. Complete exploit chain, IMDSv2 limitations, and how to actually block it.
Three JWT attack classes that still work in production codebases: the alg:none bypass, the RS256-to-HS256 confusion attack using the public key as the HMAC secret, and kid parameter injection.
Generating a CycloneDX or SPDX SBOM checks the compliance box. Using it for continuous vulnerability management is a different problem. VEX integration, policy-as-code gates, and diff-based alerting — the full operational model.
Your CI/CD pipeline runs untrusted code with access to production secrets. Malicious pull requests, mutable Action tags, cache poisoning, and self-hosted runner compromise — the complete threat model and hardening checklist.
Step-by-step techniques to detect malicious code, obfuscated scripts, and embedded binaries in Git repos — using grep, YARA, ClamAV, Trivy, and git log forensics.
Set up static analysis with Semgrep, CodeQL, and Bandit in GitHub Actions and GitLab CI. Learn how to block builds on high-severity findings and reduce false positives.
Compare Trivy, Grype, and Docker Scout for container image scanning. Includes CI gate patterns, SBOM generation, and base image hardening strategies.
Detect leaked API keys, tokens, and credentials using grep patterns, Trufflehog, and Gitleaks. Set up pre-commit hooks and CI gates to prevent future leaks.
Plain-English guide to Software Bills of Materials: what they are, why Log4Shell made them essential, the difference between CycloneDX and SPDX, and how to generate one today.
All 10 OWASP Top 10 (2021) vulnerabilities explained with real vulnerable code, working exploits, and fixed versions — from injection and broken auth to SSRF and supply chain risks.
CI/CD scanning catches vulnerabilities minutes before merge. IDE scanning catches them seconds after they are written. The feedback loop difference changes developer behaviour permanently.
At a handful of repos, scanning is a CI config problem. At ten thousand, it is a distributed systems problem. Architecture, tooling, and process strategies for enterprise-scale AppSec.
Practical guide to SAST, SCA, secrets scanning, and IaC integration in GitHub Actions and GitLab CI — with real configuration examples and security gate patterns that actually block.
"SCA" and "dependency scanning" are used interchangeably in vendor marketing — but they describe different scopes. Understanding the difference determines whether your programme covers what you think.
LLMs generate code that looks correct but is often insecure. Hardcoded secrets, SQL injection via string interpolation, disabled SSL verification — the specific patterns AI code generators produce.
By the time a secret reaches CI/CD, it has already been committed to Git history. Git history is permanent. Secret and PII scanning must happen before the first commit.
IaC scanners apply static analysis to Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles — catching misconfigurations before infrastructure is provisioned. Tools, techniques, and CI/CD patterns.
SAST covers some OWASP categories well and others not at all. A detailed breakdown of which require DAST or SCA — and what a complete OWASP compliance programme actually looks like.
SAST, DAST, IAST, SCA, secrets, IaC, container, malware — every scanner type explained in plain English, with what each finds, what it misses, and when to use it.
DAST finds vulnerabilities SAST cannot — DOM-based XSS, auth bypass, race conditions, session fixation — because it tests the actual running application. How to integrate DAST into your pipeline.
Copilot, Cursor, Claude, GPT-4o, Gemini — compared on code quality, security awareness, context handling, and real-world productivity. Which AI coding assistant is best for security-conscious teams?
Vibe coding ships products fast — but does it ship secure products? An evidence-based assessment of the vulnerability patterns AI-generated code introduces and how to mitigate them.
AI generates Terraform modules, reviews drift, and automates deployments — but introduces new IaC security risks. What is genuinely useful, what is dangerous, and how to keep AI-generated infrastructure secure.
AI can scaffold a full application in under an hour. But the security debt it creates — BOLA, hardcoded secrets, broken auth — can take months to pay down. How to measure the real cost.
AI coding is transformative but experienced engineers use it selectively. Context windows, edge cases, security blind spots, and maintainability debt — the real limits of AI-first development.
AI can accelerate every phase of the SDLC — from requirements and threat modelling to code review and deployment — without sacrificing security. A practical blueprint for AI-augmented secure development.
Prompt injection, training data poisoning, model extraction, adversarial examples, supply chain attacks — the attack classes that target AI systems and how to defend against them.
AI-generated code has distinctive structural, stylistic, and security patterns. Learn how to detect it in your codebase and why knowing changes how you should approach security review.
We publish one deep-dive per month on application security, IaC scanning, DevSecOps tooling, and vulnerability research. Engineers only.