Security musings
Shorter or more opinionated pieces: how security teams interact with delivery, trade-offs, tooling, and day-to-day engineering—not always tied to a single product or incident. The table below is regenerated automatically on each site build from the other Markdown notes in this folder.
| Name | Date | Keywords | Brief summary |
|---|---|---|---|
| Build security code review confidence: from uncertain to certain | 2026-05-02 | code review, threat modeling, STRIDE, MITRE ATT&CK, risk, security domains | Security code review as a structured path from ambiguity to defensible confidence—intent, decomposition, threat modeling, validation, critical controls, dependencies, and logging tradeoffs. |
| From mental model to security model | 2026-05-02 | mental model, architecture review, threat modeling, STRIDE, security engineering | How a security engineer’s work rests on two layers: an architecture model (how the system works) and a security model (how it can fail)—and how to move from understanding to adversarial analysis. |
| How-to: End-to-end ML model and GenAI application security | 2026-05-02 | ML security, GenAI, MLSecOps, lifecycle, checklist, threat modeling | How ML/AI AppSec overlaps with traditional AppSec, what is different, lifecycle security anchors, and a phase-by-phase developer checklist from intent through maintenance. |
| Research: China PIPL and U.S. PADFAA / DOJ DSP compliance | 2026-05-02 | PIPL, China, PADFAA, DOJ DSP, data privacy, compliance, vendor due diligence, PIPIA | Working notes comparing China’s PIPL with the U.S. Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) and DOJ Data Security Program (DSP)—obligations, vendor checklist, and Legal / Security / Engineering roles. |
| Security as coding intelligence | 2026-05-02 | AI development, security engineering, organization design, code generation | How AI shifts development toward system design, and why security must become embedded rules, parallel intelligence, and intentional friction—not downstream review. |
| Study note — Prompt engineering (PE4LLM) | 2026-05-02 | prompt engineering, LLM, study notes, context engineering | Personal notes from Prompt Engineering for LLMs—what PE is, layers of sophistication, and why LLMs complete text rather than reason like humans. |
| Template — Security architecture review document | 2026-05-02 | security architecture review, template, checklist, threat modeling, CIA, application security, risk analysis | Reusable outline for application context, risk, architecture, controls, and references in a security architecture review. |
| Threat Modeling Case Study: Car Firmware Update via USB Stick | 2026-05-02 | threat modeling, automotive, firmware, USB | Interview-style case study on car firmware updates over USB—structured threats and mitigations beyond "sign and encrypt." |
| Understanding threats, vulnerabilities, and risk | 2026-05-02 | threat modeling, vulnerability, risk, definitions, security fundamentals | How threat, vulnerability, and risk differ in practice—industry language vs a consistent mental model, with examples and a compact comparison table. |
| Guardrails and the security engineer’s role | 2026-04-15 | security engineering, delivery, risk, roles | Four SE roles from observer to gatekeeper—responsibility, deliverables, and how much each shape actually steers the project. |
If a thread grows into a long-running series, consider moving it under Topics or Incidents & trends instead.