Why security build gates exist, how to handle the cultural pushback, and how to be a genuine partner to development teams instead of a blocker.
Blocking Builds Is Not Being Mean I want to tell you about a conversation I had with a senior engineer about three months into a role where we'd just rolled out automated security gates in the CI pipe...
A step-by-step guide to deploying a genuinely secure API on Azure App Service — covering managed identity, Key Vault, network restrictions, Entra ID auth, TLS, and Application Insights.
Build a Secure Backend API with Azure App Service Azure App Service is one of the fastest ways to get a backend API into production on Azure. It handles the infrastructure plumbing so you can focus on...
A practical guide to building APIs that are secure by default — covering input validation, auth patterns, rate limiting, logging, and error handling.
Building a Secure API 90 Percent of the Time Let me be upfront about the title. You cannot build a perfectly secure API. Anyone who tells you otherwise is selling something. But you absolutely can bui...
A ground-level look at the daily dev workflow of a security engineer — tools, code review process, security automation, Git workflow, and incident response tooling.
Dev Workflow as a Security Engineer: What My Day Actually Looks Like There's a version of "security engineer workflow" content out there that's all threat models and compliance frameworks. That's real...
A practitioner's breakdown of the OWASP API Security Top 10 — what the attacks actually look like and what you can do about them.
Explore API Security - How Do Attacks Happen If you've spent any time in DevSecOps, you already know APIs are the new perimeter. They've eaten the old monolithic app model, and now almost every intere...
An honest review of 'Hacking APIs' by Corey Ball — who should read it, what you'll learn, and how it reshapes your approach to API security.
Hacking APIs by Corey Ball — An AppSec Engineer's Review I picked up "Hacking APIs: Breaking Web Application Programming Interfaces" by Corey Ball after seeing it recommended repeatedly in security ci...
From a defender's perspective: how attackers approach API hacking, and why understanding offense makes you a dramatically better defender.
How to Hack APIs - Approaches from DevSecOps There's a saying in security that I keep coming back to: you can't defend what you don't understand how to attack. I believe that fully. Not in a "let's al...
My practical, reproducible workflow for finding exposed secrets in GitHub repos using trufflehog, gitleaks, and Neovim — with CSV output for reporting.
Hunting Exposed Secrets in GitHub: My Neovim-Powered Workflow Finding secrets in source code is one of those tasks that sounds simple but has enough edge cases and tooling decisions to consume an enti...
A plain-English breakdown of security roles, how teams are structured, and what people actually do day-to-day.
Security Roles and Teams Explained One of the questions I get most often from developers and ops engineers trying to move into security is: "What's the difference between all these roles?" It's a fair...
Cut through the vendor noise and learn what security tools actually do, when you need them, and when you don't.
Security Tools Simplified Let me paint you a picture. You're a developer or an ops engineer and someone from the security team drops into your Slack channel with: "We need to implement SAST, DAST, SCA...
Why you should automate everything you do more than once, and how to actually start — shell scripts, CI/CD, cron jobs, reporting automation, with real examples.
Automate Everything: The Philosophy and Practice of Getting Out of Your Own Way I have a rule: if I do something twice, I consider automating it. If I do it three times, I automate it. This is not an...
A hands-on walkthrough of building security into CI/CD pipelines with real YAML examples across GitHub Actions, Azure DevOps, and GitLab CI.
Building a Secure DevOps Pipeline I want to start with something that took me too long to internalize early in my career: the pipeline is the best security control you have. Not the firewall. Not the...
The essential Kubernetes security concepts every practitioner needs to know before they get paged at 2am.
Kubernetes Security: A Beginner's Field Guide Let me be straight with you: Kubernetes is one of the most powerful platforms we have, and also one of the easiest to misconfigure. I've seen production c...
How to use pipelines as security enforcement points — implementing policy-as-code, tuning gates, and making security a guardrail instead of a bottleneck.
Pipeline Your Way to Safety There's a version of security that looks like this: a team of security engineers sitting downstream of development, reviewing things after they've been built, filing ticket...
How security fits into the platform engineering movement — and why platform engineering done right makes secure defaults the path of least resistance.
Platform Engineering Is Security's Best Friend (If You Do It Right) Here's a frustrating truth about enterprise security: most of the vulnerabilities I see in production aren't there because developer...
Honest reviews of the three books that most shaped my approach to DevSecOps: The DevOps Handbook, Alice and Bob Learn Application Security, and Securing DevOps.
Top Three Books on DevSecOps I read a lot of technical books. Most of them I skim for useful patterns and discard. A handful I've returned to repeatedly — books that changed how I think about problems...
Why code reviews are the most underrated learning tool in software engineering — and how to actually do them well.
Code Reviews - The Road to Learning Here's an unpopular opinion: the code review is the single most valuable learning tool available to a working software engineer, and most teams treat it like a rubb...
The myth of the one true editor, when Neovim shines vs when JetBrains is the right call, dotfiles culture, and how to build a workflow that uses the best of both.
Editors: Why I Use Both Neovim AND JetBrains (And Why That's Not a Contradiction) Let me get the tribal war out of the way early: I use Neovim. I also use JetBrains IDEs. I have no internal conflict a...
Stop chasing every new framework and learn the fundamentals that transfer everywhere — the pillars that outlast the hype cycle.
Stop Framework Hopping and Find the Pillars Every few months, the tech community collectively loses its mind over a new framework. You've seen the cycle. Someone posts a thread — on Twitter or Bluesky...
Stop forcing one tool to do everything. Real examples of when using the wrong tool cost hours, and a framework for choosing tools based on the problem rather than tribal loyalty.
Use the Right Tool for the Job: Stop Forcing One Tool to Do Everything I once spent three hours trying to manage a complex project in Obsidian before admitting I needed a proper project management too...
Securing Kubernetes clusters from day zero to production
Kubernetes Security Hardening: A DevSecOps Engineer's Playbook Kubernetes security isn't an afterthought—it should be built into every layer of your cluster from day one. After securing dozens of prod...
What Software engineers should know about building docker files > So sounds like you want a shortcut answer, we do not have any of those in stock. Things to note, when I talk about docker I am referri...