Security

Cyber is useful as an executive umbrella term, but dangerous when practitioners adopt it as precise language. Security is an engineering discipline. Engineering requires specificity. You secure assets, systems, identities, data, processes, and trust boundaries. You do not secure “cyber”. This article was prompted by conversations I had around BSides Calgary 2026, but it is not about BSides. It is about a broader habit in the security industry. I grew up around the 90s hacker scene, so I should probably have more tolerance for the word “cyber”. ...

The Problem If you run database migrations with Flyway inside Docker containers, you’ve probably noticed the steady stream of CVE findings from your vulnerability scanner. AWS ECR image scanning, Trivy, Grype — they all flag the same thing: dozens of OS-level vulnerabilities in the base image that have nothing to do with your migrations. The official Flyway Docker image is built on Debian with a full JDK installation. That means you’re shipping apt, bash, curl, openssl, hundreds of shared libraries, and an entire Linux userspace — all so you can run a Java process that connects to PostgreSQL and executes SQL files. Every one of those packages is a potential source of CVE findings, and most of them will never be patched in the Flyway image because Redgate doesn’t rebuild on every upstream security release. ...

AWS Identity Centre makes access sane, but the config file still ends up full of manual work. Every account, every permission set, every profile name. Setlist removes the tedium by building a full .aws/config from the permission sets you actually have provisioned. It walks AWS Organizations, pulls the permission sets per account, and writes clean profiles for each combination. If you want friendly names instead of 12 digit account IDs, it can map those too. ...

Most risk matrices fall apart because the numbers are vibes. One team calls an impact a 5, another calls it a 2, and nobody can agree why. This tool forces the hard part first: define what each impact level and likelihood level actually means. That could be dollars, headlines, or hours of downtime. Once the definitions are set, the matrix shows the severity bands and a summary of the quantitative levels. ...

I keep a risk register for the same reason I keep a TODO list: memory is not a system. So I built a small, browser-only tool to keep the register clean and boring. Risk Register Lite lets you add a risk, set likelihood and impact, and capture mitigation notes. It scores each item, stays local in your browser, and can export to CSV when you need to move the data elsewhere. ...

If you’ve ever worked with AWS Security Hub, you know the feeling: thousands of security findings scattered across multiple accounts, buried in the AWS console, and no easy way to share them with your team. Sure, the data is there, but getting actionable insights? That’s a different story. That’s why I built Prism. What is Prism? Prism is a CLI tool that transforms AWS Security Hub findings into something you can actually work with. Written in Go, it collects security findings from AWS and presents them in multiple formats—interactive HTML reports, JSON exports, CSV spreadsheets, Markdown documents, or colourised terminal output. ...

Alternate title: So You’ve Found Yourself in a Security Incident I’ve attended, commanded and, yes, caused, many security incidents in my career. This is not an appeal to authority but, rather, an appeal to experience. Often we don’t have time to talk or teach about security incidents, so this document collects various tips and tricks I’ve encountered throughout the years. Please note that I’m not a lawyer, and do not dispense legal advice, so my focus will remain on information security and I may have to decline to answer your question. ...

I recently had to go through the mandatory annual training around ethics, security, and handling sensitive data. Like many companies, this training comes in the form of pre-built SCORM courses. I received the following question from KnowBe4, specifically in handling sensitive data. I was going to answer this question by choosing “Find a location with greater privacy and communicate using encrypted messages on a secure connection”. I was so close to clicking the Submit button. Then at the last moment, I changed my mind and chose “Tell the office that for security concerns the call will have to wait until you get to your hotel room.” I clicked the Submit button and waited for the result. ...

This is part 4 in a series of articles. To follow along via code, visit the Github repository. In the last article, I reviewed the template for operational and security risks. Let’s go fix some of them now. Making Unsafe Defaults Safe First, some guard rails are added to the template. Remove the Default attribute from both SSHLocation and HTTPLocation, ensuring that the caller specifies them in the CloudFormation template. That way, if the caller does use 0.0.0.0/0, it is a decision they have made, not the template. ...

This is part 3 in a series of articles. To follow along via code, visit the Github repository. The last article discussed some refactoring use new(-ish) CloudFormation features, which help improve the readability and reduce the template’s file size. This article temporarily moves away from template modifications and focuses on how someone can review a CloudFormation template for security and operational risks. Parameters Let’s start with the Parameters section, because that is going to tell us what dependencies we need to bring into this template from our AWS or organizational environment. ...