Thoughts on security engineering, lessons learned, and technical deep dives. Written to clarify my own thinking and hopefully help others along the way.
A deep dive into why role-based access control must be validated on every API request, and common mistakes that lead to privilege escalation vulnerabilities.
Read ArticlePractical guidance on structuring audit events for security investigations: what to log, how to structure it, and common anti-patterns to avoid.
Read ArticleAn exploration of Insecure Direct Object Reference vulnerabilities, why they're so common, and patterns for building authorization into your data access layer.
Read Article