See latest writings about software security and a little miscellania.

Book cover art

Kohnfelder, Loren. Designing Secure Software: A Guide for Developers. No Starch Press, 2021.

Designing Secure Software consolidates more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.

The book begins with a discussion of core concepts, covering trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book’s most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.

You’ll learn how to:

  • Identify important assets, the attack surface, and the trust boundaries in a system
  • Evaluate the effectiveness of various threat mitigation candidates
  • Work with well-known mitigations and secure design patterns
  • Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more
  • Use security testing to proactively identify vulnerabilities introduced into code
  • Review a software design for security flaws effectively and without judgment

“The writing in this book is very clear and easy reading, and the examples used are both captivating and easy to understand. Kohnfelder does a great job of making a point that is easy to understand, and most of the chapters could stand alone for developers just working in that one particular area.” (read the full review)


Toward Better AI Legislation

“People deserve to know whether or not the videos, photos, and content they see and read online is real or original,” said Senator Schatz. “Our bill is simple – if any digital content is made by artificial intelligence, it should be labeled so that people are aware and aren’t fooled or scammed.”

[Read More]

June 2026

This month the link dump continues to evolve: breaking out a few article length posts and then various links and quick thoughts to share. As always this is all quick takes so please read with a grain of salt and I’m happy to get criticism where needed.

[Read More]

“Fence the ocean”

According to the recent article, ‘Very blunt approach’:

eSafety Commissioner Julie Inman Grant has expressed reservations about the social media ban for under-16s pushed by Minister for Communications Anika Wells.
“What you’re effectively asking us to do with this is fence the ocean,” she said. “We might be able to create some friction and some degree of safety, but it’s a futile exercise if you think you’re totally stemming the ocean.”

[Read More]

Paywalls fall thanks to AI Overview (Google search)

The NY Times teases a paywalled article, “A.I. won’t take all our jobs because it can’t reason like a human, Zeynep Tufekci writes.” linking to the article behind a paywall. Simply searching for [it can’t reason like a human, Zeynep Tufekci] provides a nice summary of the article, not only penetrating the paywall but also saving time and skipping the ads.

[Read More]

Entertaining ourselves

Neil Postman’s book, Amusing Ourselves to Death: Public Discourse in the Age of Show Business, is shockingly relevant today. He strips away the facade of mainstream media revealing its dark side and four decades later it’s all very recognizable as applicable today. Not only is it prescient, but making his points about the quaint legacy of now old school media makes everything very easy to follow, as well as demonstrating that today these same effects have kicked in orders of magnitude more so. Here are a few highlights but there is so much more in there.

[Read More]
media 

Waterfall under the bridge

TIL the origins of the concept of software waterfall development: it was first used to advise against the practice. There are a number of analogous examples of terminology for criticism being adopted by fans, either unaware or unswayed by the critic’s words.

[Read More]

School budget reform by video game

The point of this fascinating story: now that we can vibe code there are all kinds of creative uses; and because these applications do not need the rigor that commercial software requires, prototyping “alpha” quality is no problem.

[Read More]
genAI 

May 2026 Link dump

  • The real AI; Is AI profitable?; Very Important Words the Tech Industry Ruined
  • System modeling
  • Guardrails?
  • Anthropic sandboxing
  • What’s a Virus?
  • Threat model or triage guideline?
  • Big Tech priorities

The real AI Seth Godin, based on Woz’s definition of “AI” (spoiler: Actual Intelligence).

[Read More]

April 2026 Link dump

  • Anthropic Mythos: security superpowers?
  • Threat model scope matters
  • Anyone ready for quantum break in 2029?
  • Trains with 5G windows and noise-cancelling cabins: only in Japan
  • The NAND gate of continuous mathematics: all elementary functions from one operator

Anthropic holding back Mythos because they claim it has extraordinary powers to discover security flaws (whether the claims hold up or not) was a master marketing/PR move. It instantly made a big splash, generated great demand, and as a side effect it at least made the software security community wonder, “what if it’s true?” Naturally, there are all kinds of opinions, rebuttals, and reactions.

[Read More]