Scott’s Thoughts

Cyber is useful as an executive umbrella term, but dangerous when practitioners adopt it as precise language. Security is an engineering discipline. Engineering requires specificity. You secure assets, systems, identities, data, processes, and trust boundaries. You do not secure “cyber”. This article was prompted by conversations I had around BSides Calgary 2026, but it is not about BSides. It is about a broader habit in the security industry. I grew up around the 90s hacker scene, so I should probably have more tolerance for the word “cyber”. ...

The Problem If you run database migrations with Flyway inside Docker containers, you’ve probably noticed the steady stream of CVE findings from your vulnerability scanner. AWS ECR image scanning, Trivy, Grype — they all flag the same thing: dozens of OS-level vulnerabilities in the base image that have nothing to do with your migrations. The official Flyway Docker image is built on Debian with a full JDK installation. That means you’re shipping apt, bash, curl, openssl, hundreds of shared libraries, and an entire Linux userspace — all so you can run a Java process that connects to PostgreSQL and executes SQL files. Every one of those packages is a potential source of CVE findings, and most of them will never be patched in the Flyway image because Redgate doesn’t rebuild on every upstream security release. ...

When your organization runs Zscaler Private Access (ZPA) for zero trust network access, you inevitably need visibility into what’s happening: who’s connecting, what they’re accessing, and whether your app connectors are healthy. ZPA’s Log Streaming Service (LSS) gets those logs out of Zscaler’s cloud — but getting them into your SIEM reliably and cheaply is a design problem worth talking about. It was not as simple as the documentation makes it out to be. ...

These are the songs I was listening to this year. edamame – bbno$, Rich Brian AAAHH MEN! – Doja Cat Pretty Girls (feat. OBanga) – Will Smith, OBanga Woman – Doja Cat Jealous Type – Doja Cat Sugar On My Tongue – Tyler, The Creator 1-800 – bbno$, Ironmouse Mystical Magical – Benson Boone gigolo – bbno$ And that’s it for 2025! See you next year!

I’ve been doing a lot of thinking lately on a particular topic and I have come to the conclusion that I have a confession to make. I withdrew late from my MATH 153 course in first-year university. There, I said it. It doesn’t seem so bad once I write it here, it’s almost laughable, but I have hidden this information as a deep, dark secret my entire adult life. I even allowed it to become a core part of my identity. Let me break down what happened, because this confession is more about shining a light on something that wants to remain in the dark than it is about just me talking about the past. ...

AWS Identity Centre makes access sane, but the config file still ends up full of manual work. Every account, every permission set, every profile name. Setlist removes the tedium by building a full .aws/config from the permission sets you actually have provisioned. It walks AWS Organizations, pulls the permission sets per account, and writes clean profiles for each combination. If you want friendly names instead of 12 digit account IDs, it can map those too. ...

I keep a lot of repositories spread across organizations. When I need a local copy of everything (backup, audit, offline work, whatever), I end up writing one-off scripts that are boring, fragile, and always missing the one repo I forgot about. So I wrote a tool to make this boring task repeatable: gitgrab. https://github.com/scottbrown/gitgrab gitgrab does one thing: it grabs every repository from a GitHub organization and puts them in a directory on disk. It talks to the GitHub API, so it sees both public and private repos. When you run it again, it doesn’t re-clone; it updates what you already have. ...

Most risk matrices fall apart because the numbers are vibes. One team calls an impact a 5, another calls it a 2, and nobody can agree why. This tool forces the hard part first: define what each impact level and likelihood level actually means. That could be dollars, headlines, or hours of downtime. Once the definitions are set, the matrix shows the severity bands and a summary of the quantitative levels. ...

Most meetings fail before they start. Not because people are lazy, but because nobody wrote down the basics: what we are doing, who is needed, and what decisions are on the table. The Meeting Prep Checklist is a small tool that keeps that list tight. Set the objective, capture the agenda, list attendees and pre-reads, and track a few prep checks. When you are done, it copies a clean summary you can drop into a doc or email. ...

I keep a risk register for the same reason I keep a TODO list: memory is not a system. So I built a small, browser-only tool to keep the register clean and boring. Risk Register Lite lets you add a risk, set likelihood and impact, and capture mitigation notes. It scores each item, stays local in your browser, and can export to CSV when you need to move the data elsewhere. ...