See latest writings about software security and a little miscellania.

Book cover art

Kohnfelder, Loren. Designing Secure Software: A Guide for Developers. No Starch Press, 2021.

Designing Secure Software consolidates more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.

The book begins with a discussion of core concepts, covering trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book’s most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.

You’ll learn how to:

  • Identify important assets, the attack surface, and the trust boundaries in a system
  • Evaluate the effectiveness of various threat mitigation candidates
  • Work with well-known mitigations and secure design patterns
  • Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more
  • Use security testing to proactively identify vulnerabilities introduced into code
  • Review a software design for security flaws effectively and without judgment

“The writing in this book is very clear and easy reading, and the examples used are both captivating and easy to understand. Kohnfelder does a great job of making a point that is easy to understand, and most of the chapters could stand alone for developers just working in that one particular area.” (read the full review)


June 2026

June 2026

This month the link dump continues to evolve: breaking out a few article length posts and then various links and quick thoughts to share. As always this is all quick takes so please read with a grain of salt and I’m happy to get criticism where needed.

[Read More]

“Fence the ocean”

“Fence the ocean”

According to the recent article, ‘Very blunt approach’:

eSafety Commissioner Julie Inman Grant has expressed reservations about the social media ban for under-16s pushed by Minister for Communications Anika Wells.
“What you’re effectively asking us to do with this is fence the ocean,” she said. “We might be able to create some friction and some degree of safety, but it’s a futile exercise if you think you’re totally stemming the ocean.”

[Read More]

Paywalls fall thanks to AI Overview (Google search)

The NY Times teases a paywalled article, “A.I. won’t take all our jobs because it can’t reason like a human, Zeynep Tufekci writes.” linking to the article behind a paywall. Simply searching for [it can’t reason like a human, Zeynep Tufekci] provides a nice summary of the article, not only penetrating the paywall but also saving time and skipping the ads.

[Read More]

Entertaining ourselves

Entertaining ourselves

Neil Postman’s book, Amusing Ourselves to Death: Public Discourse in the Age of Show Business, is shockingly relevant today. He strips away the facade of mainstream media revealing its dark side and four decades later it’s all very recognizable as applicable today. Not only is it prescient, but making his points about the quaint legacy of now old school media makes everything very easy to follow, as well as demonstrating that today these same effects have kicked in orders of magnitude more so. Here are a few highlights but there is so much more in there.

[Read More]
media 

Least credentials and Age verification

Least credentials and Age verification

In yet another breach of sensitive data (passports), Bruce Schneier makes a good point that using such powerful credentials as proof required for an unimportant purpose is the design flaw behind this operational snafu. This is the equivalent to the superintendent of a large apartment building giving the master key to someone who only needs access to a storage closet for a day.

[Read More]

Waterfall under the bridge

Waterfall under the bridge

TIL the origins of the concept of software waterfall development: it was first used to advise against the practice. There are a number of analogous examples of terminology for criticism being adopted by fans, either unaware or unswayed by the critic’s words.

[Read More]

School budget reform by video game

School budget reform by video game

The point of this fascinating story: now that we can vibe code there are all kinds of creative uses; and because these applications do not need the rigor that commercial software requires, prototyping “alpha” quality is no problem.

[Read More]
genAI 

May 2026 Link dump

  • The real AI; Is AI profitable?; Very Important Words the Tech Industry Ruined
  • System modeling
  • Guardrails?
  • Anthropic sandboxing
  • What’s a Virus?
  • Threat model or triage guideline?
  • Big Tech priorities

The real AI Seth Godin, based on Woz’s definition of “AI” (spoiler: Actual Intelligence).

[Read More]

April 2026 Link dump

  • Anthropic Mythos: security superpowers?
  • Threat model scope matters
  • Anyone ready for quantum break in 2029?
  • Trains with 5G windows and noise-cancelling cabins: only in Japan
  • The NAND gate of continuous mathematics: all elementary functions from one operator

Anthropic holding back Mythos because they claim it has extraordinary powers to discover security flaws (whether the claims hold up or not) was a master marketing/PR move. It instantly made a big splash, generated great demand, and as a side effect it at least made the software security community wonder, “what if it’s true?” Naturally, there are all kinds of opinions, rebuttals, and reactions.

[Read More]

Software security with Large Language Models

“AI” on my view is already and will certainly be a massive disruption to software in the coming years. Furthermore, we have an unprecedented wave coming that’s only just now beginning to break. Yet the biggest unknown, as I see it, is how the software community will respond, and that will be more due to social factors than purely technical. This is very much as it should be, however our very human frailties and limitations will inevitably drive how this unfolds.

[Read More]
ai