Blog

    Security · Identity · Engineering

    LATEST

    LangChain, LangGraph, and LlamaIndex — Which Tool Do You Need, and When
    FeaturedAI Engineering

    LangChain, LangGraph, and LlamaIndex — Which Tool Do You Need, and When

    Three dominant frameworks for building LLM-powered applications, each with a different abstraction model and production sweet spot — here is how to read the map.

    Jun 24, 202610 min
    Read

    ALL ARTICLES — 17 POSTS

    OWASP Top 10 for LLM Applications — Explained with Examples
    Application Security

    OWASP Top 10 for LLM Applications — Explained with Examples

    A technical walkthrough of every item on the OWASP Top 10 for LLM Applications 2025, with concrete attack examples and mitigations for developers building AI-powered systems.

    Jun 18, 20269 min
    The Standard That Actually Defines Secure Web Applications — OWASP ASVS 5.0
    Security Standards

    The Standard That Actually Defines Secure Web Applications — OWASP ASVS 5.0

    A practical breakdown of what ASVS 5.0 is, how its three verification levels work, and how real teams use it — not just read it.

    Jun 8, 20268 min
    WebAuthn Passkeys in Enterprise SSO — Protocol Mechanics, IdP Integration, and Real Adoption Challenges
    Authentication

    WebAuthn Passkeys in Enterprise SSO — Protocol Mechanics, IdP Integration, and Real Adoption Challenges

    Passkeys are phishing-resistant by design, but enterprise adoption hits friction at the protocol boundary between WebAuthn, OIDC, and SAML — here is what that friction looks like and how to work through it.

    Jun 6, 20265 min
    PKCE Demystified — What the RFC Actually Says
    Security

    PKCE Demystified — What the RFC Actually Says

    PKCE is mandatory for public OAuth clients. Here is what the RFC actually specifies — the entropy requirements, the S256 transform, and why "plain" exists but should never be used.

    Jun 4, 202610 min
    Data Protection, Secure Architecture, Logging, and WebRTC — ASVS 5.0 V14–V17
    Application Security

    Data Protection, Secure Architecture, Logging, and WebRTC — ASVS 5.0 V14–V17

    PII handling, browser storage security, dependency hygiene, security logging requirements, and WebRTC security — the final four chapters of OWASP ASVS 5.0.

    Jun 3, 202611 min
    Cryptography, TLS, and Configuration Hardening — ASVS 5.0 V11, V12 & V13
    Application Security

    Cryptography, TLS, and Configuration Hardening — ASVS 5.0 V11, V12 & V13

    Algorithm choices, key management, TLS configuration, security headers, and dependency hygiene — what OWASP ASVS 5.0 requires for the infrastructure security layer.

    May 10, 202611 min
    Authorization Controls and Secure File Handling — ASVS 5.0 V8 & V5
    Application Security

    Authorization Controls and Secure File Handling — ASVS 5.0 V8 & V5

    IDOR, forced browsing, privilege escalation, and upload security — what OWASP ASVS 5.0 requires for authorization enforcement and file handling.

    Apr 25, 202610 min
    JWT Security and OAuth 2.0/OIDC Requirements — ASVS 5.0 V9 & V10
    Authentication

    JWT Security and OAuth 2.0/OIDC Requirements — ASVS 5.0 V9 & V10

    Algorithm confusion, missing claim validation, PKCE, refresh token rotation — what OWASP ASVS 5.0 requires for self-contained tokens and OAuth/OIDC implementations.

    Apr 11, 202612 min
    Authentication and Session Management Requirements — ASVS 5.0 V6 & V7
    Authentication

    Authentication and Session Management Requirements — ASVS 5.0 V6 & V7

    Passwords, MFA, credential storage, session tokens, cookie attributes, and logout behavior — what OWASP ASVS 5.0 requires for authentication and sessions.

    Mar 17, 202612 min
    Securing the Browser Layer and Your APIs — ASVS 5.0 V3 & V4
    Application Security

    Securing the Browser Layer and Your APIs — ASVS 5.0 V3 & V4

    CSP, CORS, DOM XSS, mass assignment, GraphQL depth limits — what OWASP ASVS 5.0 actually requires for web frontends and API security.

    Feb 27, 20269 min
    Encoding, Validation, and Why the Order Matters — ASVS 5.0 V1 & V2
    Application Security

    Encoding, Validation, and Why the Order Matters — ASVS 5.0 V1 & V2

    OWASP ASVS 5.0 separates output encoding from input validation for good reason. Here's what each chapter requires and how they work together to prevent injection.

    Feb 10, 202610 min
    A Quick JWT Overview for Developers and Security Practitioners (Part 1)
    Security

    A Quick JWT Overview for Developers and Security Practitioners (Part 1)

    Most developers treat a JWT as a signed JSON blob. The RFC has a more precise definition — and the gap between the two is where most vulnerabilities live.

    Jan 8, 202610 min
    OWASP Session Management — Condensed
    Security

    OWASP Session Management — Condensed

    The OWASP cheat sheet distilled: the eight things that actually matter and the mistakes teams make when they skip them.

    Dec 14, 20259 min
    Token Exchange — The OAuth Flow Nobody Talks About (Until They Need It)
    Security

    Token Exchange — The OAuth Flow Nobody Talks About (Until They Need It)

    RFC 8693 solves a specific problem that every microservice architecture eventually hits: how to propagate identity across service boundaries without sharing raw tokens.

    Feb 27, 202510 min
    OAuth 2.0 for Native Apps — 7 Things to Watch Out For
    Security

    OAuth 2.0 for Native Apps — 7 Things to Watch Out For

    RFC 8252 is sixteen pages. The gaps between the lines are where the bugs live — and they are the kind of bugs that end up in security incident reports.

    Jan 11, 20258 min
    Create artifacts easily on the GitHub Container Registry
    DevOps

    Create artifacts easily on the GitHub Container Registry

    Setting a backend up in Docker and publishing the image to GitHub Container Registry lets you run the exact same code on your laptop, CI, or production server.

    Sep 13, 20245 min