Practical perspectives on building security teams, automating compliance, solving architectural challenges, and navigating the organizational dynamics that make security programs succeed or fail.
Enjoying this? Get new posts by email.
If you run local agents, you need to make tough choices between autonomy and safety. Setting dangerously-skip-permissions while sword fighting on desk chairs and letting the tokens burn bright is an out-of-reach dream when you’re forced to babysit file access and “can I use the internet for this?” requests. But...
Read more →Running security for AWS-centric companies means getting down and dirty with CloudTrail. Not only will you crawl the logs with SIEMs to “find the baddies” via IoCs; as a proactive...
Read →GRC tools like Vanta cost $12K+/year and lock your compliance docs in proprietary systems. GraphGRC v2 gives you SOC 2 documentation in GitHub - pre-written controls, policies, and processes in...
Read →Dependabot throws security alerts but sometimes can't create pull requests. Here's a GitHub Action that automatically sends failed alerts to Copilot for resolution.
Read →Raccoons are both advanced and persistent threats. After one attacked my chihuahua Jolene, I declared war on my backyard invaders. Through ultrasonic deterrents, motion-activated sprinklers, and wacky inflatable air dancers,...
Read →Data retention covers two different problems - preservation (minimum time you must keep archival data) and deletion (maximum time you can keep personal data). They require opposite technical approaches -...
Read →Your new hire sits through generic security training, clicks through a 47-page policy, and gets random access over time. Three months later they ping for production access. The policies? Nobody's...
Read →Modern software companies use a lot of software services. Traditional security teams address third-party risk through certifications and questionnaires, but there's an opportunity to actually reduce risk by collaborating with...
Read →A framework for helping security engineers choose high-impact work using three criteria - business goals, implicit interest, and personal growth.
Read →Running EKS in FedRAMP environments requires careful implementation across multiple security domains
Read →Learn how software vendors can serve FedRAMP-authorized cloud service providers without going through the full authorization process.
Read →Learn how to leverage AWS Bedrock to create a FedRAMP-compliant AI assistant for your System Security Plan without exposing sensitive information.
Read →