Blog
Writing that respects your time
Practical, answer-first writing on airgapped security, post-quantum migration, compliance, and application security practice. 20 articles and growing.
Post-quantum
Harvest now, decrypt later: the quantum threat that is already happening
Harvest-now-decrypt-later means encrypted data stolen today can be decrypted when quantum computers mature. Here is how to work out which of your data is already at risk.
Read Is your cryptography ready for the quantum era? A practical walkthrough
A step-by-step method to assess post-quantum readiness: inventory your cryptographic assets, classify them against NIST standards, and turn the result into a migration plan.
Read Planning a PQC migration: the inventory-first method
Post-quantum migrations fail in the discovery phase, not the deployment phase. An inventory-first plan that turns crypto migration into ordinary, schedulable engineering work.
Read The NIST post-quantum standards, explained for engineering teams
ML-KEM, ML-DSA, and SLH-DSA in plain language: what each standard does, where it replaces RSA and elliptic curves, and what engineering teams should do with them now.
Read What is a CBOM, and why did regulators start asking for it?
A CBOM is a cryptography bill of materials: a machine-readable inventory of every algorithm, key, certificate, and protocol in your software. Here is what it contains and who is asking.
Read Compliance
DORA is live: what supervisors actually sample on the software side
The Digital Operational Resilience Act is now in force for EU financial entities. Here is what its software-layer duties look like under supervisory examination.
Read SBOM requirements compared: NTIA, EU CRA, FDA, and BSI TR-03183
The four SBOM specifications that matter, what each actually requires, and how to produce one SBOM pipeline that satisfies all of them.
Read SEBI CSCRF in practice: a working guide for market intermediaries
SEBI's Cybersecurity and Cyber Resilience Framework consolidated cyber obligations for Indian capital-market entities. What the software-side duties require and how to evidence them.
Read The EU Cyber Resilience Act countdown: what software makers must prepare
The CRA's main obligations apply on a fixed deadline, with reporting duties arriving earlier. A practical preparation sequence for software and product makers selling into the EU.
Read Why auditors reject your SBOM (and how to fix each reason)
The six most common reasons SBOMs fail audit and procurement review: missing graphs, hand-assembly, silent gaps, stale snapshots, format violations, and no lifecycle story.
Read AppSec practice
Airgapped DevSecOps: a working pipeline with zero internet access
How to run a complete DevSecOps pipeline, scanning, vulnerability data, and build gates included, inside a network that never touches the internet.
Read CVSS, EPSS, and KEV: turning three signals into one honest queue
CVSS measures severity, EPSS predicts exploitation likelihood, KEV records confirmed exploitation. How to combine them, plus reachability, into a work order that reflects real risk.
Read False positives are a process failure, not a tool feature
Teams treat scanner noise as weather: unavoidable, endured. It is neither. How evidence, stable fingerprints, and gate design reduce false-positive cost to nearly zero.
Read Structural detection vs pattern matching: why idioms defeat regex scanners
Pattern-based scanners detect the examples they were taught; structural analysis detects the vulnerability class. Why the difference decides what your scanner misses after every refactor.
Read Why deterministic scanners change how you gate builds
When a scanner produces the same result for the same input every time, build gates, diffs, and audits start meaning something. Why determinism is the most underrated property in security tooling.
Read Your git history is leaking secrets right now
Deleted does not mean gone: credentials committed years ago live on in git history, forks, and build artifacts. How to find them, rotate them, and stay clean permanently.
Read Supply chain
M&A code due diligence: what acquirers find in the first 48 hours
In software acquisitions the codebase is the asset and its security debt is an undisclosed liability. The four scans that reprice deals, and how to run them under deal-room constraints.
Read Scanning vendor software you did not write (and cannot read)
Questionnaires are not assurance. How to analyze the binaries, images, and packages vendors ship you: component identification, vulnerability matching, secrets, and ongoing monitoring, without source code.
Read Supply chain attacks do not respect tool boundaries
Real supply chain compromises cross layers: a dependency, a build step, a container, a credential. Why siloed scanners miss the pattern and correlated coverage catches it.
Read What airgapped actually means (and what vendors mean when they say it)
Airgapped, on-premises, private cloud, offline mode: these terms get used interchangeably by vendors and mean very different things. A buyer's guide to the real spectrum, with test questions.
Read Want new articles in your inbox?
Use the contact form and tick the updates box.