#security

threat models, default-deny, and the cve that landed on a friday.

9 blog posts.

Blog posts

Lazy SRE's guide to secure systems, part 6: the network in front of everything

Ivanti made everyone re-read their VPN architecture in January 2024. Tailscale, Cloudflare Tunnel, and WireGuard in one afternoon.

Lazy SRE's guide to secure systems, part 5: the dev laptop is the perimeter

Snowflake taught everyone what happens when an infostealer runs on a contractor's personal Mac. The laptop is the perimeter.

Lazy SRE's guide to secure systems, part 4: the four DNS records

Four DNS records that close the entire phishing impersonation class. SPF, DKIM, DMARC, CAA, two monitors, one afternoon.

Lazy SRE's guide to secure systems, part 3: the unsexy list

Identity, network, default creds, attestation, audit logs — the controls that close most of the gap Parts 1 and 2 left.

Lazy SRE's guide to secure systems, part 2: the actions you didn't pin

Hardening GitHub Actions for small teams. SHA pinning, OIDC, cooldowns, and the trigger Future You at 3am should not touch.

Lazy SRE's guide to secure systems, part 1: the dependencies you didn't read

Startup-grade defense against npm supply-chain attacks, for Future You at 3am. Chainjacking, postinstall scripts, smallest install, most leverage.

Self-hosting SimpleLogin: own your email aliases for $3 a month

Self-hosted SimpleLogin with Docker, Postfix, and Brevo for $3/month. The TLS gotcha that ate two hours of my Sunday, written down so you skip it.

Access denied: when your browser extensions look like attack vectors

Tried booking a flight. Got blocked. VPN didn't help. IP was clean. Turns out Akamai thinks my 21 security extensions make me look like a hacker. They're…

Docker security: stop running everything as root

Your containers are probably insecure. Here's how I learned to harden Docker containers the hard way, and the security mistakes that almost cost us.

Blog posts

Related tags