Open in app

Sign In

Write

Sign In

Alex Smolen
Alex Smolen

522 Followers

Home

About

Dec 5, 2022

Vulnerability Inbox Zero

This is a summary of my LocoMocoSec 2022 and QCon SF 2022 conference talks — thanks to co-author Jake Mertz and the LaunchDarkly Security team! The LaunchDarkly Security team has a mission to help our customers chill out. We show our work when we solve security problems so they…

Vulnerability Management

8 min read

Vulnerability Inbox Zero
Vulnerability Inbox Zero
Vulnerability Management

8 min read


May 8, 2022

Signing Serverless Lambda code with GitHub Actions

Code signatures help prevent unauthorized code execution. They bridge trust between build and execution environments. This post shows you how to sign AWS Lambda function code built with GitHub Actions. Background In November 2020 AWS released support for signing AWS Lambda code. Lambda function owners can specify signing verification requirements using…

Security

3 min read

Signing Serverless Lambda code with GitHub Actions
Signing Serverless Lambda code with GitHub Actions
Security

3 min read


Apr 3, 2022

What are Security Invariants?

Security invariants are a pattern for solving problems. We know what we want to be true, with minimal subjectivity. We know how to verify its truth, with minimal interpretation. It may not be true everywhere, but we know everywhere where it isn’t true. An example of an invariant is: All…

Security

5 min read

What are Security Invariants?
What are Security Invariants?
Security

5 min read


Jan 15, 2022

Securing GitHub organizations

If your security team is concerned about supply chain risk, it’s a good idea to look at your GitHub settings. GitHub describes several security features and best practices in their documentation for account security and organization security, but this post goes beyond the documentation. …

Security

6 min read

Securing GitHub organizations
Securing GitHub organizations
Security

6 min read


Sep 22, 2021

Service account standards

Service accounts for Software-as-a-Service (SaaS) applications have high levels of access and are shared between multiple people — a tempting target for attackers. But service accounts aren’t just a source of security risk. They can also slow down engineering teams. Laggy approvals for access, flaky integrations, and risky manual changes…

Security

6 min read

Service account standards
Service account standards
Security

6 min read


Jul 30, 2021

Scalable threat modeling

Security vulnerabilities result from interactions between thousands of well-intentioned decisions. What systems or libraries do we use? Should I click yes or no on this authorization prompt? Should we make this system more simple or more safe? Only in the aftermath of security incidents do the regrettable decisions become clear. …

Security

5 min read

Scalable threat modeling
Scalable threat modeling
Security

5 min read


Jun 13, 2021

Login CSRF is low-risk and high-risk

Login CSRF allows an attacker to force a victim to log in to an attacker-controlled account. It often shows up in vulnerability scans and bug bounties. If you see a Login CSRF vulnerability, should you fix it? As defenders, we should only spend time fixing Login CSRF if attackers can…

Security

5 min read

Login CSRF is low-risk and high-risk
Login CSRF is low-risk and high-risk
Security

5 min read


Published in Level Up Coding

·Mar 6, 2021

Building a Slack Block Kit app with Serverless and Go

It was a running joke at Twitter for new hires to post to the company-wide list asking why we couldn’t change the “dogs in the office” policy. At Clever we developed a theory that someone on the executive team had an allergy given the continued resistance to bringing dogs to…

Serverless

3 min read

Building a Slack Block Kit app with Serverless and Go
Building a Slack Block Kit app with Serverless and Go
Serverless

3 min read


Nov 9, 2020

Building effective security OKRs

This is an abridged version of my LocoMocoSec 2020 conference talk How do you set the strategy for a security team? If your goals are vague, people on your team will work on whatever they’re interested in because there’s no clear mission. …

Security

9 min read

Building effective security OKRs
Building effective security OKRs
Security

9 min read


Sep 12, 2020

Using AWS IoT for mutual TLS in a web application

We use HTTPS to verify web server identities with X.509 certificates, but TLS also supports mutual authentication, where the server uses certs to verify the client’s identity. …

AWS

5 min read

Using AWS IoT for mutual TLS in a web application
Using AWS IoT for mutual TLS in a web application
AWS

5 min read

Alex Smolen

Alex Smolen

522 Followers

Security for the people.

Following
  • MPD

    MPD

  • Ethan Kaplan

    Ethan Kaplan

  • San Francisco Transit Riders

    San Francisco Transit Riders

  • First Round

    First Round

  • Steve Schlafman

    Steve Schlafman

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech