$ posts
# All the articles I've posted.
-
The Rise of Supply Chain Attacks: Why 2025–2026 Changed Everything
Supply chain attacks have evolved from rare, high-profile incidents into industrialized, automated campaigns targeting the open-source ecosystem at scale. The software supply chain is no longer a side door — it's the primary attack surface of the modern era.
-
Introducing OWASP ThreatAtlas: Collaborative Threat Modeling at Scale
An introduction to OWASP ThreatAtlas — a collaborative platform for creating, tracking, and mitigating application threats — and the story behind initiating the project.
-
DAST with OWASP ZAP in CI/CD Pipelines
Dynamic Application Security Testing often gets skipped because it's hard to automate. Here's how to integrate OWASP ZAP into your pipeline without it becoming a blocker.
-
EPSS: A Smarter Way to Prioritize CVEs
CVSS scores alone are a poor guide for prioritization. EPSS uses real exploit data to tell you what's actually being exploited in the wild — and that changes everything.
-
Zero Trust Security for Microservices
What Zero Trust actually means in a microservices architecture — and how to implement it with service mesh, mTLS, and workload identity.
-
Hardening GitHub Actions Workflows
GitHub Actions is powerful and widely trusted — which makes misconfigured workflows a high-value attack target. Here's how to lock them down.
-
Software Supply Chain Security and SBOMs
What SBOMs actually are, why they matter after Log4Shell and SolarWinds, and how to generate and use them in practice.
-
Secrets Management in CI/CD Pipelines
How to stop treating secrets as an afterthought in your pipelines — and what actually works in practice.
-
Why I Started Building ScanDog
After a decade of security engineering and watching teams drown in vulnerability noise, I decided to build the tool I always wished existed.
-
Deep Dive into Tetragon
Deep Dive into Tetragon: eBPF-Based Security Observability and Runtime Enforcement