Using Canary Tokens to Detect Sensitive Data Leakage Across Systems
Traditional Canary Tokens vs. Leak-Detection Canaries
Traditional canary tokens are planted secrets (e.g. fake API keys, document IDs, or
Inheritance-Based Auth: Where It Breaks
In codebases, using secure inheritance checks to enforce authentication and authorization at scale is one of the most trusted approaches.
Combining Threat Modeling with Tabletop Exercises for Maximum Results
Usually, threat modeling and tabletop exercises are performed in silos. However, I believe one of the most powerful use cases
Semgrep + AI for Infrastructure as Code: Targeted IaC Security Without the Noise
General-purpose AI code scans (Claude Code, Cursor, etc.) are great for broad reviews, but they often skip or under-prioritise infrastructure.
Semgrep + LLM for IDOR Detection: Fewer False Positives by Scoping the Review
IDOR (Insecure Direct Object Reference) findings from broad security scans are often noisy. A tool flags every place a user-supplied
Bypassing Event Handlers: Using Database Constraints as Last Line of Defence
Many codebases rely on on_change callbacks, Django signals (post_save, pre_save, etc.) or Rails callbacks, etc., to protect
Don’t Fire Your Regex Yet: The Hidden Risks of AI-Only WAFs
Background
Over the past few months, I have had the opportunity to evaluate several Web Application Firewalls and API security
