Product Security
We don’t lack cybersecurity ideas. We lack companies hiring juniors and products that are secure by default. These two problems are connected, and until we fix both, we’ll keep talking about a skills shortage while making it impossible to build a secure society.
Product Security
Fraud is one of the most overlooked areas in cybersecurity, often caused by insecure design and weak controls. At DoorDash I saw how easily people abuse normal features to make money. Fixing this isn’t just shifting left; it requires real collaboration between security and fraud teams.
Vulnerability Management
Defining good SLAs is a tough challenge, but it’s at the heart of any solid vulnerability management program. This article helps internal security teams set clear SLAs, define the right metrics, and adjust their ticketing system to build a successful vulnerability management program.
One important subject to discuss when talking about vulnerability management is the day you open the valve on a code scanning tool that generates an enormous number of security findings. This has been a problem in information security since the early 2000s that is still being worked on, and now,
Product Security
We’ve all seen it — a CVE comes in, we patch it, a sprint later it’s back again… or something just like it. The same class of issues, over and over. Sound familiar? It’s time we stop playing whack-a-mole and admit the truth!
Vulnerability Management
Time-to-Developer Ownership (TTDO) might be the most overlooked and game-changing metric in vulnerability management today. What is it? Why should you care?
Vulnerability Management
I've decided to start blogging about vulnerability management because there's something we need to get straight: chasing CVSS, VPR, EPSS scores (or whatever else) won't actually make your company safer. Context will.
Digging up root causes, shaking the core of infosec.
