Security
Stay on top of security vulnerabilities, hardening practices, and secure development workflows. Covers CVEs, supply chain security, secrets management, and security tooling.
Guides
Security Gates
Implement automated security gates that block deployments on critical vulnerabilities, policy violations, and security failures. Shift security left in your CI/CD pipeline.
Cryptography Essentials
Master the cryptographic fundamentals every DevOps engineer needs: symmetric and asymmetric encryption, hashing algorithms, TLS/SSL certificates, and Public Key Infrastructure (PKI).
Static Application Security Testing (SAST)
Master Static Application Security Testing (SAST) with SonarQube, Semgrep, and CodeQL. Learn to detect vulnerabilities in source code before they reach production.
Threat Modeling
Master threat modeling methodologies including STRIDE, DREAD, and attack trees. Learn to identify, analyze, and prioritize security threats in your systems with practical exercises.
OWASP Top 10
Learn about the OWASP Top 10 web application security risks. Understand each vulnerability, see real-world examples, and learn how to prevent them in your applications.
Security Principles
Master the fundamental security principles every DevSecOps engineer needs to know. Learn CIA Triad, Defense in Depth, Least Privilege, and Zero Trust concepts with practical examples.
Posts
Dirty Frag (CVE-2026-43284 + CVE-2026-43500): Local Root on Every Major Linux Distro
A two-bug chain in the Linux kernel networking subsystems lets any unprivileged local user become root in a single command. The PoC is public, the embargo broke, and not all distros have a patch yet.
Next.js 16.2.6 and 15.5.18 Ship 13 Security Fixes: Patch Now
Vercel released back-to-back security updates for Next.js covering 7 high, 4 moderate, and 2 low severity advisories, including an upstream React denial-of-service issue. Here is what is broken, who is exposed, and the rollout path.
Mini Shai-Hulud: PyTorch Lightning Just Stole Your CI Secrets
On April 30 a supply chain worm pushed malicious versions of PyTorch Lightning (10M+ downloads/month), intercom-client, and intercom-php to PyPI, npm, and Packagist in 48 hours. It steals every credential in your CI and propagates through your own GitHub tokens. Here is what to check and what to rotate.
CVE-2026-3854: A Single git push Owned GitHub
A semicolon in a git push option let any authenticated user run code on GitHub.com's backend and on 88% of self-hosted GitHub Enterprise installs. Here is how the bug worked and what to do.
Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce
CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.
CI/CD Pipeline Hardening: A Practical Guide to Securing Your Build Infrastructure
Your CI/CD pipeline has access to source code, secrets, and production environments. Here is how to harden it against supply chain attacks, secret exfiltration, and artifact tampering.
How to Integrate DAST Into Your CI/CD Pipeline (With OWASP ZAP Examples)
A practical guide to Dynamic Application Security Testing. Learn how DAST works, set up OWASP ZAP scans, compare it with Burp Suite, and automate security testing in your CI/CD pipeline with quality gates.
Dependency Scanning: Finding Vulnerabilities Before Attackers Do
A practical guide to dependency scanning with Snyk, Dependabot, and native package manager tools. Learn how to detect vulnerable dependencies, automate fixes, and integrate scanning into your CI/CD pipeline.
Pre-commit Hooks for Security: Stop Secrets Before They Hit Your Repository
Once a secret is committed to Git, it lives forever in the history. Pre-commit hooks with gitleaks, detect-secrets, and custom checks catch credentials before that happens.
Secrets Management Guide: Vault, AWS Secrets Manager, and Azure Key Vault
Stop storing secrets in .env files and environment variables. This guide covers secrets management fundamentals, HashiCorp Vault dynamic secrets, AWS Secrets Manager rotation, and Azure Key Vault with practical code examples.
Secure Coding Practices Every DevOps Engineer Should Know
A practical guide to writing secure code: input validation, output encoding, error handling, and authentication. With real examples in Python, JavaScript, and Go.
Security-Focused Code Reviews: Catching Vulnerabilities Before Production
Learn how to review code with a security mindset. This guide covers common vulnerability patterns, language-specific pitfalls, and practical checklists for finding injection flaws, auth bypass, and logic bugs that automated tools miss.
Software Supply Chain Security: SBOMs, Sigstore, and SLSA in Practice
Protect your software supply chain with practical steps for SBOM generation, artifact signing with Cosign, and SLSA provenance. Includes complete CI/CD pipeline examples for GitHub Actions and GitLab CI.