Security Engineering Blog

AppSec & DevSecOps.
Written for engineers.

Deep technical dives on application security, infrastructure scanning, SAST, secrets management, and the mechanics of building secure software pipelines — no marketing fluff.

All IaC Security SAST Secrets DevSecOps SCA Container AppSec
Featured Article
# terraform/modules/vpc/main.tf
resource "aws_security_group" "bastion" {
  ingress {
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"] # ← never scanned
  }
}
IaC Security  ·  Deep Dive

Terraform Git Source Modules: The IaC Vulnerability Your Scanner Never Reaches

When Terraform fetches modules from Git at terraform init time, most CI/CD scanners never touch that code. Here is exactly how the blind spot forms, with real misconfiguration examples from open-source Terraform registries.

✍️ AquilaX Security Team 📅 March 2026 ⏱ 9 min read
Read article →
All Articles
IaC Security Terraform CI/CD

Terraform Git Source Modules: The IaC Vulnerability Your Scanner Never Reaches

Most IaC scanners run against your working directory — but Terraform modules sourced from Git are fetched at terraform init time, in the wrong place, or never at all.

Mar 2026  ·  9 min read
SCA JavaScript npm

npm audit Says You're Clean. Your /static/vendor/ Folder Disagrees.

npm audit only reads your lockfile. It has no idea about the jQuery 1.11 sitting in your static folder since 2015. Here is what it misses and how to actually find it.

Mar 2026  ·  8 min read
SAST GitHub Actions

Why SAST Misses Vulnerabilities Introduced via GitHub Actions Expressions

Untrusted input flowing through ${{ github.event.issue.title }} into shell commands is a class of injection that static analysers routinely overlook.

Mar 2026  ·  10 min read
Secrets Git History

Secrets That Outlive Their Rotation: Git History as a Credential Store

Rotating a leaked key in your current branch does nothing to the commit SHA where it lived. Here is how attackers recover rotated secrets from public repositories — and how to actually remediate.

Mar 2026  ·  10 min read
SCA Supply Chain

Transitive Dependency Confusion: How SCA Tools Miss the Real Risk in Deep Dependency Trees

A CVE in a direct dependency gets patched. The vulnerable version stays in your lockfile via an indirect transitive path your scanner never flags.

Mar 2026  ·  11 min read
Container DevSecOps

Container Escape via Misconfigured Kubernetes Admission Controllers

Admission webhooks that fail-open during outages create a narrow window where unsigned, unscanned images bypass your entire security policy chain.

Mar 2026  ·  12 min read
AppSec OWASP

Prototype Pollution in Node.js: Why Your SAST Rules Are Ten Years Behind the Exploitation Techniques

Modern prototype pollution chains through gadgets in popular frameworks in ways that rule-based SAST engines simply cannot model. Here is the gap.

Mar 2026  ·  13 min read
No noise, no spam

Get technical AppSec articles
in your inbox.

We publish one deep-dive per month on application security, IaC scanning, DevSecOps tooling, and vulnerability research. Engineers only.