Writing
Security Engineering Notes
Long-form writing on product security, infrastructure, PKI, threat modelling, and the engineering decisions behind systems I build and assess.
2026-06
Deployment drift as a security finding
When production provably differs from the reviewed source, what can an assessment still claim, and how should the uncertainty itself be treated?
2026-03
Credential blast radius in single-node platforms
How far does an application compromise travel when the application holds database-owner, object-storage root, and platform-wide service credentials?
2025-11
Designing an offline root CA for small operations
What does a defensible root-CA ceremony look like without an HSM budget, and which controls actually change the risk?