Posts

Introduction Implementing static application security testing (SAST) in an enterprise is rarely just a tooling exercise. In this case, it was one part of a broader, multi-year developer security program that also included threat modeling, dynamic application security testing (DAST), software composition analysis (SCA), secrets management, cryptography standards, and code classification. The program was led by the Head of Developer Security, who acted as Program Manager (PM) and is the author of this experience report. ...

Recently, I came across @halvarflake’s blog post about his development setup. I’m roughly following the same idea: a dedicated machine for development. One difference is that I use a dedicated VM per project. This keeps each environment clean and, in case of compromise, the blast radius is limited to that one project. AI agents increase the risk in my setup. To get the most out of them, I usually give them access to the internet, tools (whatever’s available), and the code. On top of that, I often run them in YOLO mode (e.g. --dangerously-skip-permissions in claude code). ...

Changelog: Date Description 07/09/2023 Add chapter “Accessing undefined value in negated expression” This post summarizes my journey of learning Rego. While much of the information overlaps with the official Rego reference, it is structured like a “getting started” guide for Rego newbies. The emphasis is put on the programming paradigms (logic versus procedural) which is helpful for programmers used to imperative languages such as Python or Java. Normal links (e.g. Wikipedia) lead to further information while links in square brackets (e.g. [1]) are sources of statements made in this post. ...

I’ve decided to spend some time diving a bit more into Cloud technologies. Typically, if I learn something new, I’d like to make it a mix of theory and practical experience. Hence, I did some AWS certifications and some hands-on projects 👨‍💻. In case you plan to do something similar, you might find my notes about learning & exam strategy, as well as the topic at hand, helpful. These are my posts that contain everything about the AWS certifications that I’ve done: ...

This post is part of a series of AWS related posts. Intro This post documents my AWS SAP exam preparation and everything that comes with it. My strategy was simple. I’ve started the learning process by taking a Udemy course. The course was rather lengthy, so I didn’t repeat the course material 🤓. Instead, I completed practice exams and took note of everything I either forgot or didn’t know in the first place. Thus, the notes below are a mix of course repetition and complementary information. ...