Writing

2022.12.05 Vulnerability Inbox Zero 2022.05.08 Signing Serverless Lambda code with GitHub Actions 2022.04.03 What are Security Invariants? 2022.01.14 Securing GitHub organizations 2021.09.22 Service account standards 2021.07.30 Scalable threat modeling 2021.06.13 Login CSRF is low-risk and high-risk 2021.03.06 Building a Slack Block Kit app with Serverless and Go 2020.11.09 Building effective security OKRs 2020.09.12 Using AWS IoT for mutual TLS in a web application 2020.07.07 Use AWS Glue to make CloudTrail Parquet partitions 2020.03.30 Fine-tuning access with AWS IAM global condition context keys 2020.02.03 ALB authentication with G Suite SAML using Cognito 2019.12.02 Identity federation with multiple AWS accounts 2019.07.04 Using IAM Roles with Session Policies for Least Privilege 2018.07.24 Securing New Products at Clever 2018.02.06 Swappiness and Amazon ECS 2018.02.05 Implementing the sudo access pattern for AWS IAM Users 2018.01.15 Partitioning CloudTrail Logs in Athena 2017.08.26 Clever Instant Login, OAuth 2.0, and iOS Applications 2017.07.19 IAM simply with terrafam 2017.01.10 Securing Saved Password Applications 2016.11.05 Backup Codes and Back Doors 2016.05.12 Clever Badges and our Commitment to Security 2015.11.09 Thoughts on Password Strength and Reuse

2013.02.10 Ideas for 1Password 2012.09.24 NoPassword 2012.04.02 Alex’s autocomplete rant 2011.04.28 Why I left Yahoo Mail (and you should too) 2011.03.17 KeepItLocked.net is now alexsmolen.com/blog 2011.02.12 Masks: Exploring Privacy and Identity in Virtual Spaces 2011.01.23 KeepItLocked.net gets a makeover 2010.12.23 A Framework for Identifying Privacy Threats 2010.08.12 10 Things that Security and Usability Have in Common 2010.07.30 Password Reset Survey 2010.05.30 Mobile CAPTCHA: Usable CAPTCHA Design for Mobile Interfaces 2010.05.26 UC Berkeley DNA Testing: Trust Us, We're Using Barcodes 2010.05.25 Identity Crisis: OpenID at a Crossroads 2010.05.19 Keep It Locked? More like Keep It Updated. 2009.07.30 OWASP .NET ESAPI 0.2 Released 2009.07.08 SSL Warning Messages - Expired Certificates and Mismatched Sub-Domains 2009.06.05 Weak and Strong Web Security Requirements 2009.06.03 iSchool @ UC Berkeley 2009.04.29 Command Injection Impossible in Java and .NET? 2009.04.01 URL Shortening Dread 2009.03.19 Persistent Authentication versus Session Mechanisms 2009.02.24 C# and VB.NET Security Throwdown! 2009.01.27 SoCalCodeCamp Presentation - “Top Ten Tips for Tenacious Defense for ASP.NET Application” 2009.01.23 @SoCalCodeCamp, Speaking 2008.12.16 More ASP.NET CSRF Protection Options 2008.11.13 Supporting Users with Disabled JavaScript or Cookies 2008.11.07 Preventing Clickjacking with Framebusting 2008.10.17 Preventing CSRF with CsrfGuard 2008.09.10 Giving the OWASP .NET ESAPI a Second Look 2008.08.26 Input Validation Isn't For Wimps 2008.08.20 Managing Secure Software: From Concept to Maintenance 2008.08.14 Is It That Easy to Get Hacked? 2008.06.17 ViewStateUserKey Doesn't Prevent Cross-Site Request Forgery 2008.04.11 Developing ASP.NET in Partial Trust 2008.03.12 OWASP ESAPI.NET 2008.01.02 Software Security and Earthquake Engineering 2007.12.27 Preventing Session Fixation through Session ID Regeneration in Java and ASP.NET 2007.11.06 Java and HttpOnly 2007.10.31 ASP.NET ValidateRequest and the HTML Attribute Based Cross Site Scripting 2007.10.12 Encrypting External Configuration Files Using Protected Configuration/DPAPI 2007.10.10 A Brief History of Applet Security 2007.10.08 Input versus Data, Validation versus Sanitization 2007.10.05 And the Award for MVP Goes To… 2007.09.26 SD Best Practices 2007 (How I Learned to Stop Worrying and Love Developer Conferences) 2007.09.26 Software Security Neologisms 2007.09.14 Experiencing the Rich Web Could Be Costly? 2007.09.01 Goofus and Gallant, Part One 2007.08.22 SD Best Practices 2007 2007.08.14 Bacteria Versus Viruses