#devsecops

shifting security left until it lands on the developer who already had a sprint.

6 blog posts.

Blog posts

Lazy SRE's guide to secure systems, part 6: the network in front of everything

Ivanti made everyone re-read their VPN architecture in January 2024. Tailscale, Cloudflare Tunnel, and WireGuard in one afternoon.

Lazy SRE's guide to secure systems, part 5: the dev laptop is the perimeter

Snowflake taught everyone what happens when an infostealer runs on a contractor's personal Mac. The laptop is the perimeter.

Lazy SRE's guide to secure systems, part 4: the four DNS records

Four DNS records that close the entire phishing impersonation class. SPF, DKIM, DMARC, CAA, two monitors, one afternoon.

Lazy SRE's guide to secure systems, part 3: the unsexy list

Identity, network, default creds, attestation, audit logs — the controls that close most of the gap Parts 1 and 2 left.

Lazy SRE's guide to secure systems, part 2: the actions you didn't pin

Hardening GitHub Actions for small teams. SHA pinning, OIDC, cooldowns, and the trigger Future You at 3am should not touch.

Lazy SRE's guide to secure systems, part 1: the dependencies you didn't read

A startup-grade defense against npm supply-chain attacks, written for Future You at 3am. Chainjacking, postinstall scripts, and the smallest install that…

Blog posts

Related tags