Blog

Practical write-ups on DevSecOps — infrastructure security, IaC patterns, and operational lessons from the field.

AWS IAM Zero Trust

Zero Trust in Practice: IAM Policies That Actually Work

Most IAM policies I’ve reviewed violate least privilege in subtle ways — wildcard actions, missing condition keys, over-broad resource ARNs. Here’s the audit checklist I use and how to fix the most common issues.

Read more →
Security CSP Web

Content Security Policy: From Zero to A+ in an Afternoon

Getting a perfect score on SecurityHeaders.com isn’t just copying header strings from Stack Overflow. Understanding what each directive blocks — and why — is the difference between a real policy and a false sense of security.

Read more →
Terraform IaC SAST

Scanning Terraform Before It Reaches AWS

Shifting security left means catching misconfigurations before terraform apply runs. Here’s the CI pipeline I wire into every IaC project — tfsec, Checkov, OPA policies — and how each layer catches a different class of mistakes.

Read more →
AWS WAF Networking

WAF Rules That Don’t Break Your App

AWS WAF managed rules block common attacks out of the box — and also generate false positives that take down production. Here’s how I tune rule groups with count mode before switching to block.

Coming Soon
GitHub Actions CI/CD Security

Hardening GitHub Actions: Pinning, Permissions, and OIDC

Unpinned third-party actions are a supply chain attack waiting to happen. This post covers pinning by commit SHA, minimal OIDC permissions for AWS deployments, and the workflow settings most teams leave at their defaults.

Coming Soon
AWS CloudTrail Detection

Writing CloudTrail Detections That Don’t Page You at 3AM

High-signal CloudTrail alerting requires understanding which API calls matter and which are noise. I’ll walk through the event sources I monitor, the Athena queries I use to tune signal, and the runbooks behind each alert.

Coming Soon