I was recently asked to be part of a focus group for a new performance management framework. One of the things I noticed is that the framework fell into the same trap as what I’ve seen at other companies I’ve worked that had the same framework. I’m not sure where these HR teams get the ideas for these frameworks, but they all suffer from the same flaws. Regardless, I wanted to highlight an issue I saw with their 9-Box model. ...
A common refrain from people nowadays is the obviousness that AI is being used to create their content. There are often the usual tells: emdashes, if-then bridges, emojis. Oh gosh, so many emojis. It’s a tell, but what’s more interesting to me is that AI is not wrong in that regard. It’s just that the content published by people contains the AI’s writing voice. Everyone has a voice when they write. Sometimes it is called a style, but I prefer “voice” because when I read someone’s writing I often hear their voice in my head. And that voice will change depending on the author, as it should, because the writing is specific to the author. ...
Cyber is useful as an executive umbrella term, but dangerous when practitioners adopt it as precise language. Security is an engineering discipline. Engineering requires specificity. You secure assets, systems, identities, data, processes, and trust boundaries. You do not secure “cyber”. This article was prompted by conversations I had around BSides Calgary 2026, but it is not about BSides. It is about a broader habit in the security industry. I grew up around the 90s hacker scene, so I should probably have more tolerance for the word “cyber”. ...
The Problem If you run database migrations with Flyway inside Docker containers, you’ve probably noticed the steady stream of CVE findings from your vulnerability scanner. AWS ECR image scanning, Trivy, Grype — they all flag the same thing: dozens of OS-level vulnerabilities in the base image that have nothing to do with your migrations. The official Flyway Docker image is built on Debian with a full JDK installation. That means you’re shipping apt, bash, curl, openssl, hundreds of shared libraries, and an entire Linux userspace — all so you can run a Java process that connects to PostgreSQL and executes SQL files. Every one of those packages is a potential source of CVE findings, and most of them will never be patched in the Flyway image because Redgate doesn’t rebuild on every upstream security release. ...
When your organization runs Zscaler Private Access (ZPA) for zero trust network access, you inevitably need visibility into what’s happening: who’s connecting, what they’re accessing, and whether your app connectors are healthy. ZPA’s Log Streaming Service (LSS) gets those logs out of Zscaler’s cloud — but getting them into your SIEM reliably and cheaply is a design problem worth talking about. It was not as simple as the documentation makes it out to be. ...
These are the songs I was listening to this year. edamame – bbno$, Rich Brian AAAHH MEN! – Doja Cat Pretty Girls (feat. OBanga) – Will Smith, OBanga Woman – Doja Cat Jealous Type – Doja Cat Sugar On My Tongue – Tyler, The Creator 1-800 – bbno$, Ironmouse Mystical Magical – Benson Boone gigolo – bbno$ And that’s it for 2025! See you next year!
I’ve been doing a lot of thinking lately on a particular topic and I have come to the conclusion that I have a confession to make. I withdrew late from my MATH 153 course in first-year university. There, I said it. It doesn’t seem so bad once I write it here, it’s almost laughable, but I have hidden this information as a deep, dark secret my entire adult life. I even allowed it to become a core part of my identity. Let me break down what happened, because this confession is more about shining a light on something that wants to remain in the dark than it is about just me talking about the past. ...
AWS Identity Centre makes access sane, but the config file still ends up full of manual work. Every account, every permission set, every profile name. Setlist removes the tedium by building a full .aws/config from the permission sets you actually have provisioned. It walks AWS Organizations, pulls the permission sets per account, and writes clean profiles for each combination. If you want friendly names instead of 12 digit account IDs, it can map those too. ...
I keep a lot of repositories spread across organizations. When I need a local copy of everything (backup, audit, offline work, whatever), I end up writing one-off scripts that are boring, fragile, and always missing the one repo I forgot about. So I wrote a tool to make this boring task repeatable: gitgrab. https://github.com/scottbrown/gitgrab gitgrab does one thing: it grabs every repository from a GitHub organization and puts them in a directory on disk. It talks to the GitHub API, so it sees both public and private repos. When you run it again, it doesn’t re-clone; it updates what you already have. ...
Most risk matrices fall apart because the numbers are vibes. One team calls an impact a 5, another calls it a 2, and nobody can agree why. This tool forces the hard part first: define what each impact level and likelihood level actually means. That could be dollars, headlines, or hours of downtime. Once the definitions are set, the matrix shows the severity bands and a summary of the quantitative levels. ...