First two search results for “blocking origin access directly” on Google showed me two misleading Cloudflare community threads, with wrong security assumption, which is why I decided to write this guide. [1] [2] The best and recommended solution is using Authenticated Origin Pulls with custom certs per domain, but as this is not trivial to set up I decided write about…
Leave a CommentCategory: AppSec
Ever since I installed a LEDA LUC2 fireplace, I wanted deeper insights into how it operates â particularly pressure difference, exhaust temperature, and ventilation state. Unfortunately, the vendor doesnât provide any integration options, and the only external interface is a mysterious RJ12 port on the controller. So I decided to reverse engineer it myself. In this post, Iâll walk you…
15 Comments
Reflections from BSides Canberra 2023 to the Securing Sage Summit 2025 Last month at the Securing Sage Summit, I watched Sonya M. from Snyk give a slick, fast-paced live demo using GitHub Copilot. It was exactly the kind of session that draws a crowd â showing how quickly AI can help generate code from natural language prompts. But then it…
Leave a Comment
Maybe itâs just the talks Iâve attended and articles I read. Maybe itâs just my rabbit hole that I went into. Or maybe⌠weâre all collectively realising the same thing. I hit a wall. At the end of 2024, I went all-in on automation. I built MVPs, tested capabilities, and made it my mission to influence others to do the…
Leave a Comment
In the early days of web development, PHP developers often relied on functions like mysql_escape_string() to sanitize user inputs. However, this approach was fraught with pitfalls. Misuse, incorrect character encoding handling, and a lack of awareness led to numerous vulnerabilities. To address these issues, mysql_real_escape_string() was introduced, which considered the current character set of the database connection, offering a more…
Leave a Comment
Jason Chanâs article “Security for High Velocity Engineering” hit me hard. It captures a reality many of us in Product Security face: engineering teams move fast, and unless your security program evolves beyond one-off engagements and reactive fixes, youâll constantly be playing catch-up. The Fragile Model: When 1:1 Investment Walks Out the Door When I started out as an AppSec…
Leave a Comment
At DEFCON32, my colleague Andra Lezza and I presented a talk on building and securing LLM applications – particularly chatbots – drawing from our work at Sage. One of the highlights of our talk was a practical proof of concept: a smart home setup using Home-Assistant.io, which we showcased to demonstrate safety implications and security considerations of AI-integrated applications. In…
2 Comments
In a world where security needs to move as fast as software delivery, how we structure our AppSec (Application Security) teams is more critical than ever. The right team topology can make the difference between a well-secured application and a bottlenecked security process. Before looking in detail into these structures, letâs break down some essential team types that shape how…
Leave a CommentOver the past few years, the concept of âshift-leftâ has dominated software security. The idea seems intuitive – catch vulnerabilities as early as possible in the development process, allowing teams to remediate issues long before they ever reach production. But after a recent discussions, I started thinking more critically about what shift-left actually delivers and, more importantly, where it might…
Leave a Comment
The Misconception IP allowlisting involves configuring your origin server to accept connections only from specific IP addresses – in this case, Cloudflareâs IP ranges. The logic seems sound: by allowing only trusted IPs, you reduce the risk of unauthorized access. Unfortunately, this method overlooks several attack cases that can be exploited. My Observation Over the years, Iâve noticed numerous security…
Leave a Comment