Identity Lifecycle Management for NHIs: Key Security Challenges Machine identities such as service accounts and API keys greatly outnumber human identities, but they tend to lag far behind when it comes…
SSH Certificates: A Complete Guide When it comes to securing access to your Linux servers, the choice of SSH authentication method can make a world of difference. With…
Self-Hosting Infisical: A Guide to Securing Your Homelab’s Secrets In 2025, the magic of “the cloud” seems to be waning. Companies increasingly see the benefits of self-hosting or taking a hybrid approach…
Detection Engineering: A Case Study The battles between attackers and defenders get more sophisticated every day. Both sides are locked in a constant back-and-forth game of…
How to Handle Secrets in Configuration Management Tools Configuration management tools like Ansible, Chef, and Puppet been around for almost 20 years. They are starting to become more niche as…
Featured Security Culture: The Best Tool Money Can’t Buy Security culture is something that remains fairly vague despite how often it gets talked about. A lot of people can tell you what a good…
Making Sense of Open-Source Vulnerability Databases: NVD, OSV, and more Open-source vulnerabilities are arguably the most ubiquitous part of application security. Software developers are constantly plagued by an…
Pipeline Integrity and Security in DevSecOps This is the third blog post in a series that is taking a deep dive into DevSecOps program architecture. The goal of this series is to…
Secure-by-Design Software in DevSecOps This is the second blog post in a series that is taking a deep dive into DevSecOps program architecture. The goal of this series is to…
Vulnerability Management Lifecycle in DevSecOps In this new series, I am sharing my strategy for implementing secure-by-design software processes that empower engineering teams. The first…
How to Handle Mobile App Secrets Learn why storing secrets in mobile apps is a major security risk, how to manage user and developer secrets properly, and why client-side…
How to Become Great at API Key Rotation: Best Practices and Tips Secret management can be a complex challenge. In this article, we will take you from zero to hero on key rotation.
Secure Code Review Best Practices [cheat sheet included] Reducing vulnerabilities in your software means manual and automated secure code reviews. Download our handy cheat sheet and learn more!
Best Practices for Securing Infrastructure as Code (IaC) in the DevOps SDLC [cheat sheet included] Infrastructure as code (IaC) is the practice of managing and provisioning computing resources using configuration files or scripts rather…
Thinking Like a Hacker: Stealing Secrets with a Malicious GitHub Action How can an attacker exploit leaked credentials? Fourth case: secrets are stolen with a malicious GitHub action.
Thinking Like a Hacker: Commanding a Bot Army of Compromised Twitter Accounts How can an attacker exploit leaked credentials? Third case: Twitter API keys are used to pump an altcoin.
Thinking Like a Hacker: AWS Keys in Private Repos How can an attacker exploit leaked credentials? Second case: an AWS secret is found in a private repository.
Thinking Like a Hacker: Abusing Stolen Private Keys The first entry in a new series about leaked secret abuse.
Securing Containers with Seccomp: Part 2 This tutorial will guide you through the setup of a GitHub Action generating a Seccomp filter for your application, a cutting-edge security…
Securing Containers with Seccomp: Part 1 In this article we present a novel way to protect your container applications post-exploitation. This additional protection is called…
GitGuardian Best practices: 5 Risks to Assess for a Secure CI Pipeline More and more parts of the software development process can occur without human intervention. However, this is not without its drawbacks…
CISO Roadmap: The First 90 Days Learn about three key areas you need to think about as a CISO, and develop a plan for strengthening your information security program. (I originally wrote this article for GitGuardian's blog) Introduction You may have found this article for several reasons. Maybe you just landed a big promotion
Reverse Shell Anywhere and Python Buffer Hell At work I've been working on a project that will allow us to get an elevated shell on a computer that we own regardless of whether or not the device is on-premises or in the employee's home. Our EDR solution offers a type of "live
![Secure Code Review Best Practices [cheat sheet included]](https://cdn-images-1.medium.com/max/800/0*fvoMZOfor7U3Q6l7.jpg)
![Best Practices for Securing Infrastructure as Code (IaC) in the DevOps SDLC [cheat sheet included]](https://cdn-images-1.medium.com/max/800/0*Pd8dojdQRc1AAhmU.png)
