Doc's Office

Doc's Office

Sign in Subscribe

Identity Lifecycle Management for NHIs: Key Security Challenges

Identity Lifecycle Management for NHIs: Key Security Challenges

Machine identities such as service accounts and API keys greatly outnumber human identities, but they tend to lag far behind when it comes…

SSH Certificates: A Complete Guide

SSH Certificates: A Complete Guide

When it comes to securing access to your Linux servers, the choice of SSH authentication method can make a world of difference. With…

Balancing Security and Velocity in Modern Software Development

Balancing Security and Velocity in Modern Software Development

The Inherent Tension

Self-Hosting Infisical: A Guide to Securing Your Homelab’s Secrets

Self-Hosting Infisical: A Guide to Securing Your Homelab’s Secrets

In 2025, the magic of “the cloud” seems to be waning. Companies increasingly see the benefits of self-hosting or taking a hybrid approach…

Detection Engineering: A Case Study

Detection Engineering: A Case Study

The battles between attackers and defenders get more sophisticated every day. Both sides are locked in a constant back-and-forth game of…

How to Handle Secrets in Configuration Management Tools

How to Handle Secrets in Configuration Management Tools

Configuration management tools like Ansible, Chef, and Puppet been around for almost 20 years. They are starting to become more niche as…

Security Culture: The Best Tool Money Can’t Buy

Security Culture: The Best Tool Money Can’t Buy

Security culture is something that remains fairly vague despite how often it gets talked about. A lot of people can tell you what a good…

Making Sense of Open-Source Vulnerability Databases: NVD, OSV, and more

Making Sense of Open-Source Vulnerability Databases: NVD, OSV, and more

Open-source vulnerabilities are arguably the most ubiquitous part of application security. Software developers are constantly plagued by an…

Pipeline Integrity and Security in DevSecOps

Pipeline Integrity and Security in DevSecOps

This is the third blog post in a series that is taking a deep dive into DevSecOps program architecture. The goal of this series is to…

Secure-by-Design Software in DevSecOps

Secure-by-Design Software in DevSecOps

This is the second blog post in a series that is taking a deep dive into DevSecOps program architecture. The goal of this series is to…

Vulnerability Management Lifecycle in DevSecOps

Vulnerability Management Lifecycle in DevSecOps

In this new series, I am sharing my strategy for implementing secure-by-design software processes that empower engineering teams. The first…

How to Handle Mobile App Secrets

How to Handle Mobile App Secrets

Learn why storing secrets in mobile apps is a major security risk, how to manage user and developer secrets properly, and why client-side…

How to Become Great at API Key Rotation: Best Practices and Tips

How to Become Great at API Key Rotation: Best Practices and Tips

Secret management can be a complex challenge. In this article, we will take you from zero to hero on key rotation.

Secure Code Review Best Practices [cheat sheet included]

Secure Code Review Best Practices [cheat sheet included]

Reducing vulnerabilities in your software means manual and automated secure code reviews. Download our handy cheat sheet and learn more!

Best Practices for Securing Infrastructure as Code (IaC) in the DevOps SDLC [cheat sheet included]

Best Practices for Securing Infrastructure as Code (IaC) in the DevOps SDLC [cheat sheet included]

Infrastructure as code (IaC) is the practice of managing and provisioning computing resources using configuration files or scripts rather…

Thinking Like a Hacker: Finding Source Code Leaks on GitHub

Thinking Like a Hacker: Finding Source Code Leaks on GitHub

About this series

Thinking Like a Hacker: Stealing Secrets with a Malicious GitHub Action

Thinking Like a Hacker: Stealing Secrets with a Malicious GitHub Action

How can an attacker exploit leaked credentials? Fourth case: secrets are stolen with a malicious GitHub action.

Thinking Like a Hacker: Commanding a Bot Army of Compromised Twitter Accounts

Thinking Like a Hacker: Commanding a Bot Army of Compromised Twitter Accounts

How can an attacker exploit leaked credentials? Third case: Twitter API keys are used to pump an altcoin.

Thinking Like a Hacker: AWS Keys in Private Repos

Thinking Like a Hacker: AWS Keys in Private Repos

How can an attacker exploit leaked credentials? Second case: an AWS secret is found in a private repository.

Thinking Like a Hacker: Abusing Stolen Private Keys

Thinking Like a Hacker: Abusing Stolen Private Keys

The first entry in a new series about leaked secret abuse.

Securing Containers with Seccomp: Part 2

Securing Containers with Seccomp: Part 2

This tutorial will guide you through the setup of a GitHub Action generating a Seccomp filter for your application, a cutting-edge security…

Securing Containers with Seccomp: Part 1

Securing Containers with Seccomp: Part 1

In this article we present a novel way to protect your container applications post-exploitation. This additional protection is called…

Best practices: 5 Risks to Assess for a Secure CI Pipeline

Best practices: 5 Risks to Assess for a Secure CI Pipeline

More and more parts of the software development process can occur without human intervention. However, this is not without its drawbacks…

CISO Roadmap: The First 90 Days

Learn about three key areas you need to think about as a CISO, and develop a plan for strengthening your information security program. (I originally wrote this article for GitGuardian's blog) Introduction You may have found this article for several reasons. Maybe you just landed a big promotion

Reverse Shell Anywhere and Python Buffer Hell

Reverse Shell Anywhere and Python Buffer Hell

At work I've been working on a project that will allow us to get an elevated shell on a computer that we own regardless of whether or not the device is on-premises or in the employee's home. Our EDR solution offers a type of "live