“When a paradigm shifts, everyone goes back to zero” (Joel A. Barker in his book “Future Edge”). These days I find two types of people when talking about AI. The first type consists of those who doubt AI can do things properly. In my space, specifically, that would be coding. The argument goes something like… Continue reading When the Paradigm Shifts: A Zero-Trust Model for AI Agents
Talked about QA and Cyber Security at OnPod
Had great conversation with Kristen Tilgner at OnPod Studios podcast about QA and Cyber Security in the AI era. This touched and expanded on some points I made in my recent blog post on quality assurance and the work we do with ReARM.
Time to Start Treating Dev Machines as Untrusted
Shai-Hulud, Shai-Hulud 2.0, Trivy, LiteLLM, and now Axios, and many smaller compromises bring us to the realization that existing supply chains are highly vulnerable. A common thread across of these attacks is that once you download and install a compromised package, the usual behavior of the malicious code inside is to steal tokens and other… Continue reading Time to Start Treating Dev Machines as Untrusted
Want to Survive Current Tech Era – Learn to Be a Good QA
The amount of messages I see these days on our Discord and other platforms from humans and bots desperately looking for jobs is at spam-like levels. Couple of years ago, these were mostly coming to me in the form of LinkedIn inmails selling development contracts. Looks like now there maybe no budgets left for inmails… Continue reading Want to Survive Current Tech Era – Learn to Be a Good QA
Towards Perfect Vulnerability Management System
Here I would like to summarize my thoughts on what constitutes a perfect vulnerability management system, what frequently gets missed, and what elements we already have in the latest ReARM release. I Not Only Vulnerabilities First of all, a management system should cover all security findings, not only vulnerabilities. That includes things like SAST /… Continue reading Towards Perfect Vulnerability Management System
SBOM Developments for December 2025
Happy New Year 2026! Following my previous post about SBOM developments for July 2025, this is another one about things that happened in the community since. Again, this is mostly for myself as a reference storage but I’m happy if other people find this useful too. 1. ENISA SBOM Landscape Analysis December 2025 – important… Continue reading SBOM Developments for December 2025
My TEA Talk from OWASP 2025 Global AppSec USA
Slides available here.
How to Use ReARM to Check if Shai-Hulud 2.0 Infiltrated Your Dependencies (video)
I recorded a video showing new batch search for SBOM components functionality in ReARM:
My Talk on TEA at KubeCon NA 2025 Pre-event
I was giving another talk on Transparency Exchange API at Open Source SecurityCon 2025 in Atlanta on November 10: “Transparency Exchange API: Where To Find Product SBOM?” The YouTube recording is now live and available below. You can also find slides here.