Web application security articles
Offensive and defensive security for builders.
Practical writing on how web applications break, how teams defend them, and how security engineers can turn reviews, threat models, and hardening work into useful engineering outcomes.
Primary topics
Featured
Start here
Securing the AI-Powered Workplace: Understanding the New Attack Surface
A practical look at the security risks introduced by AI assistants, copilots, agents, plugins, and enterprise knowledge integrations.
My Review: SANS SEC 530: Defensible Security Architecture and Engineering
My personal review and key takeaways from SANS SEC 530, covering security architecture, Zero Trust, monitoring, and the GDSA exam.
Latest blogs
Web, application, and cloud security notes
NPM Supply Chain Attacks: When Your JavaScript Dependencies Become a Security Risk
A practical introduction to how npm dependencies, transitive packages, maintainer accounts, and installation workflows can become supply chain security risks.
Securing the AI-Powered Workplace: Understanding the New Attack Surface
A practical look at the security risks introduced by AI assistants, copilots, agents, plugins, and enterprise knowledge integrations.
My Review: SANS SEC 530: Defensible Security Architecture and Engineering
My personal review and key takeaways from SANS SEC 530, covering security architecture, Zero Trust, monitoring, and the GDSA exam.
How to Optimize Docker Images for Speed & Security
Security-first techniques for building container images that are lean, fast, and easier to harden.
Threat Modeling with STRIDE: A Practical Walkthrough
A walkthrough of STRIDE using a simple web application architecture, designed for teaching and real-world review sessions.