R2C pays me to write these articles for their blog, and gives me permission to cross-post them here.
Series: Articles written for r2c
Bringing Security along on the CI/CD journey January 11th, 2021
Practical ways to bridge the gap between AppSec and Engineering.
Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020
Denial-of-Service (DoS) vulnerabilities are common, but teams frequently disagree on how to treat them. The risk can be difficult to analyze: I’ve seen development teams argue for weeks over how to handle a DoS vector. This article tries to cut through those arguments. It provides a framework for engineering and application security teams to think about denial-of-service risk, breaks down DoS vulnerabilities into high-, medium-, and low-risk classes, and has recommendations for mitigations at each layer.
Preventing SQL Injection in Django May 15th, 2020
SQL Injection (SQLi) is one of the most dangerous classes of web vulnerabilities. Thankfully, it’s becoming increasingly rare — thanks mostly to increasing use of database abstraction layers like Django’s ORM — but where it occurs it can be devastating. This article will help you understand and prevent SQLi vulnerabilities in your Django apps.