How Browser UX Shapes Security More Than Cryptography
Feb 19 · 6 min read · Cryptography is precise. Browsers are not. If you’ve implemented WebAuthn in a real PWA, you already know this:The spec is clean. The user experience is not. The uncomfortable truth is this: Most authentication systems fail because of UX, not becaus...
Join discussion
Why Passwordless Alone Is Not an Identity Strategy
Feb 19 · 5 min read · When teams adopt WebAuthn or FIDO2, the excitement is understandable: No passwords. No phishing. No credential stuffing. Biometric UX. Public-key cryptography. It feels like the final answer. But WebAuthn answers exactly one question: Can thi...
Join discussion
SQL Injection in Java: A Security Architect's Perspective (Part 3)
Feb 18 · 13 min read · As discussed in Part 1 and Part 2 of this series, we had a look at SQL injection from a developer's perspective and discussed coding best practices related to SQL injection for JDBC, JPA, Spring Data, MyBatis, and stored procedures. This third part o...
Join discussion
Security Architecture & Design Review With Threat Modeling
Feb 4 · 17 min read · TL;DR In this article, I'll walk you through the complete process of Security Architecture & Design Review (SAR) for an e-commerce web application. You'll discover how to use the Microsoft Threat Modeling Tool, create Data Flow Diagrams, identify thr...
Join discussion
HTTPS Isn’t Optional — It’s the Boundary of Your System
Jan 23 · 2 min read · Most developers think of HTTPS as a checkbox. Something you enable because every tutorial tells you to.Something that’s “probably already handled somewhere.” That’s understandable. But HTTPS isn’t a feature you add.It’s the line that decides whether ...
Join discussion
The Goldman-JPMorgan Breaches Prove Enterprise Security Is Built on a Lie
Jan 15 · 7 min read · When JPMorgan Chase disclosed that client data was compromised through their law firm's breach , following Goldman Sachs' similar admission just weeks earlier , most cybersecurity professionals focused on the wrong question. They asked: "How do we be...
Join discussionAuthorization in Django: From Permissions to Policies — Part 13 (Capstone) — Authorization Is Not Security
Jan 12 · 6 min read · By this point in the series, authorization should no longer feel like a feature.It should feel like a boundary. — Permissions define who may attempt an action.— Policies define what is valid now.— Invariants define what must never be false. Together,...
Join discussion
The LastPass Crypto Nightmare Proves We've Been Wrong About Password Managers
Dec 25, 2025 · 7 min read · The cybersecurity orthodoxy has a sacred cow: password managers are unquestionably good, and everyone should use one. We've preached this gospel for years, dismissing skeptics as Luddites who don't understand basic security hygiene. But the ongoing c...
Join discussion