Ship Secure Software, Fast.

Join other engineering leaders integrating security-by-design to protect web apps and maintain development speed.

    Blog posts

    Bitwise shift
    Someone else created something cool
    Studying for the CISSP
    Junior cloud security engineer
    Ask for confidence levels
    Spend more time on the out breath
    How to manage vendor risk
    Avoid shared service accounts
    Prevention is not enough
    Principals make the rules
    Backing up passwords
    Grow with repetition
    Bad rules create more problems
    Threat is not vulnerability is not risk
    You have free money in the cloud
    How much to protect a sandwich
    Use business goals to scope your program
    How much should you spend?
    You don't store the key in the vault
    3 metrics cyber insurers appreciate
    Remove some noise
    This is what you have to do
    How to stay on top of so many security projects
    How to get to SOC 2 faster
    What you found is not risk
    Prioritize these vulnerabilities
    Show me you care
    4 features to help you close enterprise clients
    Rapid third-party risk check
    What HIPAA says you should do
    Cost of ownership
    Hidden assumptions
    How to fix t-shirt sizing
    Play more often
    A lot of small things
    Protect your insurance
    SCIM
    The efforts you've made
    7 tips to help you document
    No time for that
    Security postures
    Security awareness roadmap
    Everything is lava
    The hidden budget in your cloud bill
    A reasonable rate
    Develop capabilities
    Permission as a function of responsibility
    Identification
    Blank side
    Repetitions
    Detection with decoys
    Fail forward
    We want better apps
    Not yours, not your problem
    Things customers ask for
    Unblocking change requests
    The price of inaction
    Don't let security slow you down
    Test your assumptions
    A basic cyber risk matrix
    You have enough stuff
    A primer on HIPAA for startups
    Lost time and productivity tax
    Information assurance
    Hiring for cultural fit
    How to red team on a shoestring
    Composing faulty assumptions
    Recommendations from the Cyber Centre
    Common DeFi vulnerabilities from 2021
    Get the build automated
    The real cost of custom systems
    TIL about PCMLTFA
    Take one step
    See == download
    That one integration
    Smart contract risk is not your only risk
    How this website works
    Bringing information systems under management
    Frameworks help you avoid getting fancy
    Measure things
    Separation of duties
    Minimizing exploitability
    Using both risk control levers
    Protect the fun
    On counting
    Adopting practices instead of rules
    You're not ready for a bug bounty program
    Notes on using Kanban
    Controls when you don't have control
    How to adjust the scope of your security program
    Getting started with an asset inventory
    Advice for entry-level cybersecurity resumes
    Simple tricks for document control
    8 basic security topics to consider early on
    Technical controls projects
    Default to safe, private and secure
    Should you keep an inventory?
    ISO27K in short
    How to classify incident severity
    7 organizational controls