Month: April 2026

The conversation that reordered my understanding of enterprise network security happened in a conference room in London in early 2019. The CISO of a mid-size financial services firm — precise, methodical, someone whose threat modeling I trusted — was describing her organization’s response to a pen test finding. The testers had gotten onto one internal

There is a specific quality of dread that experienced security practitioners get when they think carefully about what happened in December 2020. Not the dread of a novel attack technique, or an adversary with exceptional resources. The dread of recognizing, in granular detail, exactly how many organizations were equally exposed and simply weren’t targeted. The

Behind every application lies a web of components, libraries, and dependencies it relies on to function. Modern applications are built on layers of dependencies, including libraries, frameworks, third-party packages, and open source components, that most teams have only a partial view of. A Software Bill of Materials (SBOM) changes that. It is essentially a detailed

Security teams have gotten good at finding vulnerabilities. Fixing them has always been the hard part. An analysis of remediation patterns across 50,000+ actively developed repositories and 400+ organizations during 2025 reveals a pattern: where a vulnerability is detected has more impact on whether it gets fixed than what the vulnerability is. PR-Detected Findings Get

There is a specific kind of organizational dysfunction that doesn’t show up in sprint velocity metrics or deployment frequency dashboards. It lives in Slack threads where a senior engineer is, for the third time this week, helping a product team figure out why their staging environment behaves differently from production. It lives in the postmortem

Walk into most AppSec reviews, and you’ll find a familiar pattern. Python dependencies: fully inventoried. npm packages: tracked and patched. C and C++ code powering the operating system, the embedded firmware, or the performance-critical core of the product? A blank space where the risk assessment should be. This is not a tooling gap that’s easy

The Issue That Stopped Me I was browsing Apache Airflow’s open issues one evening — something I do when I want to understand the parts of the codebase I don’t use every day. Issue #59935 caught my attention immediately. The report was simple: pool names in Airflow can contain any characters — spaces, emojis, anything.

Workday Extend lets you build custom in-Workday apps that leverage Workday’s data model, UI and security. Extend apps are fully integrated into the Workday interface and can tap into Workday data via APIs and reports.  In practice, a dashboard app on Extend will call Workday data services (native REST or “Report-as-a-Service” reports) behind the scenes,

After working with Oracle databases for more than 15 years, one thing I have learned is that patching is not just a maintenance task, it’s a critical security and stability practice. Many production issues I have seen in enterprise environments could have been avoided simply by keeping databases updated with the latest Release Updates (RUs).

When working on modern software, a developer will often use hundreds or thousands of dependencies. Кeeping an accurate and consistent bill of materials is essential for license compliance and for security. Motivation In a large organization, the scope of dependencies review given by build-time scanning has some limitations.