Infostealers have turned stolen session cookies into a commodity that walks straight past MFA. Device Bound Session Credentials break that economy, and our open DBSC implementation helps services adopt it today.
Secure Software, by Design
Writing
View all postsProjects
View all projectsRedesigning the RPA Framework database keyword to be secure by design: adding parameterized query support upstream to close a SQL injection class affecting low-code/RPA automations, plus a writeup, an exploit/fix demo, and an OWASP cheatsheet.
A framework-agnostic TypeScript implementation of the W3C Device Bound Session Credentials standard, binding sessions to a device key to blunt cookie and token theft.
A static-analysis ruleset for Opengrep/Semgrep that surfaces what a codebase actually does: network, database, filesystem, crypto, auth, web, and AI usage, to support visibility, threat modeling, and security testing.
A GitHub composite action that runs Opengrep static analysis in CI with pinned releases and checksum verification, emitting JSON/SARIF for the rest of the pipeline.
Services
Including:
- Strategy
- Platform Engineering
- Product Security Assessments
- Deep Research
Contact
General inquiries, introductions, and anything that doesn't fit the boxes below.
New projects, engagements, quotes, and questions about working together.
Help with an existing product or engagement.
Vulnerability reports and responsible disclosure.