DevSecOps

Your First 90 Days in AppSec Are Political, Not Technical

The biggest mistake I see new AppSec leads make isn't technical. It's political. They buy a SAST tool, scan everything, generate 40,000 findings, and wonder why engineering treats them like an adversary by week six.

Every EKS Cluster I Audit Has the Same Five Problems

Last quarter I got handed a 'production-ready' EKS cluster. 400 pods running as root with hostNetwork, one IAM role with s3:* on the whole account. It had been running this way for eleven months. That's not an outlier. It's the median.