Redesigning the RPA Framework database keyword to be secure by design: adding parameterized query support upstream to close a SQL injection class affecting low-code/RPA automations, plus a writeup, an exploit/fix demo, and an OWASP cheatsheet.

A framework-agnostic TypeScript implementation of the W3C Device Bound Session Credentials standard, binding sessions to a device key to blunt cookie and token theft.

A static-analysis ruleset for Opengrep/Semgrep that surfaces what a codebase actually does: network, database, filesystem, crypto, auth, web, and AI usage, to support visibility, threat modeling, and security testing.

A GitHub composite action that runs Opengrep static analysis in CI with pinned releases and checksum verification, emitting JSON/SARIF for the rest of the pipeline.

A deliberately vulnerable Spring + MongoDB web app for learning, demonstrating, and testing NoSQL injection, built for software engineers, security engineers, pentesters, and trainers.

Enabling Jinja2 autoescaping by default for HTML and XML templates in robotframework-templateddata: closing a cross-site scripting (XSS) class in low-code/RPA automations by making safe output encoding the default.