Writing
All articles
Notes on product strategy, enterprise security, and the messy place between them. Subscribe via RSS.
- Career
Security Has a Product Problem
I spent years finding critical vulnerabilities. Then I realized finding them wasn't the hard part.
- Product Strategy
A Roadmap Is Not a Product Strategy
Most teams confuse a list of features with a strategy. Here's the 6-step framework I use to build product strategies that actually hold up under pressure.
- Security
5 Insider Threats Your Company is Overlooking
The breach your security team is least prepared for isn't coming from outside. Here are the five insider threat vectors most organizations aren't watching closely enough.
- Technical
How I Automate Authenticated API Security Testing
Automating dynamic application security testing (DAST) for service APIs as part of a security testing pipeline, using OWASP ZAP and an OpenAPI spec.
- Security
Ransomware Defense Doesn't Have to Be Expensive
Good cyber hygiene and well-tuned security controls go a long way in defending against ransomware, even without a 'next-gen' product. A breakdown of common delivery techniques and the cost-effective countermeasures that block them.
- Security
Deconstructing the Ransomware Kill Chain
Ransomware is a relatively noisy form of malware, and its kill chain presents multiple opportunities for network defenders to detect and mitigate the threat. A stage-by-stage breakdown.
- Career
Pass the CISSP on First Try With This Guide
Reflections on passing the CISSP on the first try, and the condensed study guide that got me there. Includes a preview of the Cryptography module.
- Technical
How a Malicious Chrome Extension Steals Your Session
Browser extensions are a blindspot most organizations aren't accounting for. Here's how session theft via a malicious extension works, and why it's more accessible than people think.