Blog

Notes on shipping secure code

Practical write-ups on the vulnerabilities we see most often, written for developers rather than auditors.

🛡️ JWT Authentication: The Mistakes That Undo the Whole Point

JWTs are self-contained by design, which is exactly what makes a handful of small implementation mistakes turn into full authentication bypasses.

🛡️ OWASP Top 10, Explained for Working Developers

The OWASP Top 10 gets cited constantly in security tooling, but most of it reads like a compliance checklist. Here's what each category actually means for the code you write day to day.

🛡️ Insecure Deserialization in Python: Why pickle.load() Can Run Arbitrary Code

pickle.load() doesn't just read data back into memory — for untrusted input, it can execute arbitrary Python as a side effect of loading it.