A very long read but contains lots of insights. Goes from two very famous security related failure, to highlighting how a test first approach could have helped. It then finishes with a long section on how to foster a testing culture in an organisation.

An old one but it shows quite well how social engineering works. It's often way more powerful than the technical defense you try to raise.

Interesting take. Indeed risks shouldn't be considered in isolation. They actually compound and that can add up fairly quickly.

Your digital life is secure? Good... now is it really safe? Can you recover in case of a catastrophic event?

Nice overview of where we stand regarding supply chain security. Code reuse has never been so widespread and we still have fundamental issues leading to security problems.

Unsurprisingly ends up with an advertisement for their own security tool. That said the vector used for the attack is interesting, with more npm like ecosystems available nowadays, should we expect to see more such attacks?

A good explanation of why you likely don't want a centralised package manager for your ecosystem.

Good idea to standardise this for vendors just like we do using CVEs for software components. This would definitely improve dealing with breaches.

Bad actors will go to great length to try to compromise your supply chain.

It's indeed surprising that this compromised npm account didn't lead to more damage. It's a good reminder that you better regularly audit what happens in your ecosystem.

This is quite a rant. Now I admit I'm not in love with passkeys and this piece shows quite well a lot of arguments against them.

Clearly Citrix is drowning as a product... How can people still trust the provider after such an episode?

Not every vulnerability reports are born equal... This can be a waste of time when the vulnerability is on the reporter end.

Unsurprisingly this ecosystem keeps being more and more closed.

Mind your typos... It seems clear a bad actor is hiding behind that one.

Alright... That's really bad security practices. Don't do this at home.

Interesting point, fairly logical but didn't sit to think it through before. Indeed, using arenas to get back features of manual memory management won't lead to the same security issues than outside of a memory safe language.

An oldie but a goodie about SQL injection. Does a good job getting the overall picture of this particular security plague.

Still some work to have proper confinement in practice for apps in the Flatpak ecosystem.

Better not trust ZIP files you receive...