When should you hire that first security person?
Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.
A survey of approaches to scorecarding in security programs.
A guide to tools for creating AWS IAM service roles.
Responsibly disclosing risks in using SSM Command Docs for software distribution.
AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.
An analysis of the thousands of public SSM Command documents, including identification of secret leakage.
Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.
Four controls platforms can use when building a custom-domain feature to make it resilient to subdomain takeover down the road