Security · Identity · Engineering
LATEST

Three dominant frameworks for building LLM-powered applications, each with a different abstraction model and production sweet spot — here is how to read the map.
ALL ARTICLES — 17 POSTS
Application SecurityA technical walkthrough of every item on the OWASP Top 10 for LLM Applications 2025, with concrete attack examples and mitigations for developers building AI-powered systems.
Security StandardsA practical breakdown of what ASVS 5.0 is, how its three verification levels work, and how real teams use it — not just read it.
AuthenticationPasskeys are phishing-resistant by design, but enterprise adoption hits friction at the protocol boundary between WebAuthn, OIDC, and SAML — here is what that friction looks like and how to work through it.
SecurityPKCE is mandatory for public OAuth clients. Here is what the RFC actually specifies — the entropy requirements, the S256 transform, and why "plain" exists but should never be used.
Application SecurityPII handling, browser storage security, dependency hygiene, security logging requirements, and WebRTC security — the final four chapters of OWASP ASVS 5.0.
Application SecurityAlgorithm choices, key management, TLS configuration, security headers, and dependency hygiene — what OWASP ASVS 5.0 requires for the infrastructure security layer.
Application SecurityIDOR, forced browsing, privilege escalation, and upload security — what OWASP ASVS 5.0 requires for authorization enforcement and file handling.
AuthenticationAlgorithm confusion, missing claim validation, PKCE, refresh token rotation — what OWASP ASVS 5.0 requires for self-contained tokens and OAuth/OIDC implementations.
AuthenticationPasswords, MFA, credential storage, session tokens, cookie attributes, and logout behavior — what OWASP ASVS 5.0 requires for authentication and sessions.
Application SecurityCSP, CORS, DOM XSS, mass assignment, GraphQL depth limits — what OWASP ASVS 5.0 actually requires for web frontends and API security.
Application SecurityOWASP ASVS 5.0 separates output encoding from input validation for good reason. Here's what each chapter requires and how they work together to prevent injection.
SecurityMost developers treat a JWT as a signed JSON blob. The RFC has a more precise definition — and the gap between the two is where most vulnerabilities live.
SecurityThe OWASP cheat sheet distilled: the eight things that actually matter and the mistakes teams make when they skip them.
SecurityRFC 8693 solves a specific problem that every microservice architecture eventually hits: how to propagate identity across service boundaries without sharing raw tokens.
SecurityRFC 8252 is sixteen pages. The gaps between the lines are where the bugs live — and they are the kind of bugs that end up in security incident reports.
DevOpsSetting a backend up in Docker and publishing the image to GitHub Container Registry lets you run the exact same code on your laptop, CI, or production server.