Skip to content

Security musings

Shorter or more opinionated pieces: how security teams interact with delivery, trade-offs, tooling, and day-to-day engineering—not always tied to a single product or incident. The table below is regenerated automatically on each site build from the other Markdown notes in this folder.

Name Date Keywords Brief summary
Security code review: trends and practice in the AI era 2026-05-09 code review, LLM security, SAST, hybrid analysis, Copilot, Cursor, DevSecOps, OWASP AISVS, OpenSSF Evidence on LLM-assisted vulnerability detection vs hybrid SAST, practical review patterns, vendor tool landscape, and a conservative small-company operating model—IDE + PR AI + CI gates + human review.
A systematic approach to product security 2026-05-09 product security, SSDLC, shift-left, risk management, DevSecOps, prioritization, security regression How product security teams turn shift-left ideals into repeatable practice: clarifying risk across project phases and knowledge states, mapping work to countermeasures, prioritizing urgency vs importance, and measuring coverage without losing depth.
Security tasks and prioritization 2026-05-04 prioritization, security engineering, Eisenhower matrix, CVSS, vulnerability management, incident response Why prioritization defines a capable security engineer—macro activities (reviews, IR, vuln management, testing), Eisenhower urgent/important framing, and micro metrics from data classification to bug bars and IR impact.
Study note — The Developer’s Playbook for Large Language Model Security 2026-05-04 LLM security, OWASP LLM, study notes, prompt injection, RAISE, LLMOps Dense study companion to Steve Wilson’s playbook—layered chapter map, OWASP LLM Top 10 style notes, architectures, prompt risks, supply chain, LLMOps, RAISE, and tooling, rewritten in the author’s own words for learning (not a substitute for the source text).
Build security code review confidence: from uncertain to certain 2026-05-02 code review, threat modeling, STRIDE, MITRE ATT&CK, risk, security domains Security code review as a structured path from ambiguity to defensible confidence—intent, decomposition, threat modeling, validation, critical controls, dependencies, and logging tradeoffs.
From mental model to security model 2026-05-02 mental model, architecture review, threat modeling, STRIDE, security engineering How a security engineer’s work rests on two layers: an architecture model (how the system works) and a security model (how it can fail)—and how to move from understanding to adversarial analysis.
How-to: End-to-end ML model and GenAI application security 2026-05-02 ML security, GenAI, MLSecOps, lifecycle, checklist, threat modeling How ML/AI AppSec overlaps with traditional AppSec, what is different, lifecycle security anchors, and a phase-by-phase developer checklist from intent through maintenance.
Research: China PIPL and U.S. PADFAA / DOJ DSP compliance 2026-05-02 PIPL, China, PADFAA, DOJ DSP, data privacy, compliance, vendor due diligence, PIPIA Working notes comparing China’s PIPL with the U.S. Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) and DOJ Data Security Program (DSP)—obligations, vendor checklist, and Legal / Security / Engineering roles.
Security as coding intelligence 2026-05-02 AI development, security engineering, organization design, code generation How AI shifts development toward system design, and why security must become embedded rules, parallel intelligence, and intentional friction—not downstream review.
Study note — Prompt engineering (PE4LLM) 2026-05-02 prompt engineering, LLM, study notes, context engineering Personal notes from Prompt Engineering for LLMs—what PE is, layers of sophistication, and why LLMs complete text rather than reason like humans.
Template — Security architecture review document 2026-05-02 security architecture review, template, checklist, threat modeling, CIA, application security, risk analysis Reusable outline for application context, risk, architecture, controls, and references in a security architecture review.
Threat Modeling Case Study: Car Firmware Update via USB Stick 2026-05-02 threat modeling, automotive, firmware, USB Interview-style case study on car firmware updates over USB—structured threats and mitigations beyond "sign and encrypt."
Understanding threats, vulnerabilities, and risk 2026-05-02 threat modeling, vulnerability, risk, definitions, security fundamentals How threat, vulnerability, and risk differ in practice—industry language vs a consistent mental model, with examples and a compact comparison table.
Guardrails and the security engineer’s role 2026-04-15 security engineering, delivery, risk, roles Four SE roles from observer to gatekeeper—responsibility, deliverables, and how much each shape actually steers the project.

If a thread grows into a long-running series, consider moving it under Topics or Incidents & trends instead.