Recent deep-dives

• How Attackers Drain Your Cloud Budget — how cost-triggering endpoints get abused through free tiers, messaging, webhooks, and expensive background work
• How Injection Keeps Breaking Real Systems — SQL injection, command injection, and why they still happen
• CSRF for Builders — practical defenses: tokens, SameSite cookies, what actually works
• Threat Modelling for Builders — hands-on STRIDE for engineers, not security consultants
• A Builder’s Guide to Not Leaking Credentials — how secrets leak in real codebases

Open-source tooling

I maintain code-security-skills — an AI agent skill that scans your codebase for leaked secrets, vulnerable dependencies, injection patterns, and infrastructure misconfigs. Tell your coding agent to “run a security scan” and get a prioritized report. Works with Copilot, Codex, and Claude Code.