Access approvals considered harmfulAccess approvals are a feature in categories of software bearing fancy names like Entitlement Management, Identity Governance, Privileged…Nov 11, 20242Nov 11, 20242
Better security policiesSecurity policies are the backbone of information security programs. They define commitments to leadership and communicate objectives to…Jul 31, 2024Jul 31, 2024
Risks are not risks, vulnerabilities are not vulnerabilitiesIn information security we emphasize the importance of risk, but we struggle to operationalize it. How do we make risk useful for auditors…May 26, 2024May 26, 2024
Designing Least Privilege AWS IAM Policies for PeopleThis was originally published on the now defunct IAM Pulse blog in 2021.Feb 14, 2024Feb 14, 2024
Meeting the FedRAMP FIPS 140–2 requirement on AWSFedRAMP is a compliance program for cloud services to process US Federal government data. If you haven’t heard of it, consider yourself…Oct 2, 20232Oct 2, 20232
Vulnerability Inbox ZeroThis is a summary of my LocoMocoSec 2022 and QCon SF 2022 conference talks — thanks to co-author Jake Mertz and the LaunchDarkly Security…Dec 5, 20221Dec 5, 20221
Signing Serverless Lambda code with GitHub ActionsCode signatures help prevent unauthorized code execution. They bridge trust between build and execution environments. This post shows you…May 8, 20221May 8, 20221
What are Security Invariants?The only reasonable numbers are zero, one, and infinity — Bruce J. MacLennanApr 3, 2022Apr 3, 2022
Securing GitHub organizationsInterior view of Stockholm Public Library via wikimedia.orgJan 15, 2022Jan 15, 2022
