This is a follow up on my older post “7 Best Practices of Modern CI/CD“. Points outlined there still hold true, but they are missing several important security considerations. Today, in 2026, CI/CD pipelines have become one of the key supply chain attack vectors (refer, for example, to the recent Trivy compromise). That warrants an… Continue reading CI/CD Security Principles in 2026
Category: Security
The last line of defense must not be AI
The frequently circulating answer to the question of how we govern AI doing the work at scale is “AI turtles all the way down”. Meaning that more AI downstream can solve any problems originating upstream. I believe we can now clearly see it’s a fallacy – the same way our world does not rest on… Continue reading The last line of defense must not be AI
ReARM: Governing AI Coding Agents Demo
New ReARM Pitch – Governance for Agentic Coding
This was recorded at CIS Ottawa 2026. Slides available here.
Time to Start Treating Dev Machines as Untrusted
Shai-Hulud, Shai-Hulud 2.0, Trivy, LiteLLM, and now Axios, and many smaller compromises bring us to the realization that existing supply chains are highly vulnerable. A common thread across of these attacks is that once you download and install a compromised package, the usual behavior of the malicious code inside is to steal tokens and other… Continue reading Time to Start Treating Dev Machines as Untrusted
Towards Perfect Vulnerability Management System
Here I would like to summarize my thoughts on what constitutes a perfect vulnerability management system, what frequently gets missed, and what elements we already have in the latest ReARM release. I Not Only Vulnerabilities First of all, a management system should cover all security findings, not only vulnerabilities. That includes things like SAST /… Continue reading Towards Perfect Vulnerability Management System
SBOM Developments for December 2025
Happy New Year 2026! Following my previous post about SBOM developments for July 2025, this is another one about things that happened in the community since. Again, this is mostly for myself as a reference storage but I’m happy if other people find this useful too. 1. ENISA SBOM Landscape Analysis December 2025 – important… Continue reading SBOM Developments for December 2025
My TEA Talk from OWASP 2025 Global AppSec USA
Slides available here.
How to Use ReARM to Check if Shai-Hulud 2.0 Infiltrated Your Dependencies (video)
I recorded a video showing new batch search for SBOM components functionality in ReARM:
My Talk on TEA at KubeCon NA 2025 Pre-event
I was giving another talk on Transparency Exchange API at Open Source SecurityCon 2025 in Atlanta on November 10: “Transparency Exchange API: Where To Find Product SBOM?” The YouTube recording is now live and available below. You can also find slides here.