Documenting the intersection of system architecture, cybersecurity protocols, and engineering leadership.
On May 11 between 19:20 and 19:26 UTC, 84 malicious @tanstack/* npm versions shipped with valid SLSA Build Level 3 provenance. The signatures verified. The canon held. The consumer was...
Practical takeaways from the May 2026 TanStack compromise. How to harden CI/CD trust primitives, and how to resize the operating model around modern security artefacts....
A small Slack-native vulnerability coordination workflow POC built on free-tier SaaS, with Postgres as the spine, n8n as deterministic glue, and an LLM constrained to...
A walkthrough of the April 2025 CI/CD incident at Grafana Labs - one small misconfiguration, fast detection thanks to canary tokens, and why preparation beats...
The NVD cutbacks are not a funding crisis. They are a design crisis. Monolithic vulnerability intelligence never matched the shape of the actual problem, and...
Agentic development doesn’t just change how fast software is written. It changes who makes security decisions, and at what scale. Here’s what that actually means...
How to collect, visualize, and communicate actionable AppSec metrics that bridge the gap between security engineering and leadership priorities.
If you want to build an appsec program, here are five valuable recommendations to take into consideration.