Bonds & Bytes

Vkfrost Bonds & Bytes

Sign in Subscribe

Latest — Sep 16, 2025

CISSP - ISSEP Notes.

The Certified Information Systems Security Professional (CISSP) offers three advanced courses, each focusing on a specialized area of cybersecurity: * ISSEP — Information Systems Security Engineering ProfessionalSecure systems engineering and integrationSystems engineers, architects, and security integration professionals * ISSMP — Information Systems Security Management ProfessionalLeadership and management of security programsCISOs, program managers, and senior

More issues

Mother; May I Rage

My, My, Oh My. You know what they say (or at least what TikTok’s school of graduates say): “People with daddy issues become artists, and people with mommy issues become writers.” I didn’t make that up, by the way, I came across it while doom-scrolling (https://www.tiktok.

Session 5 - Container Scanning

Container scanning and why Trivy? As a matter of fact does anyone use any other tool? Think of containers as the Old server setup. There used to be a vulnerability scanner, which wouldnt identify all vulnerabilities and the severity level, so we could either do a scan before provisioning services

Session 4 - IAC

Why Infrastructure as Code (IaC) Came Along Before IaC, managing infrastructure was manual, error-prone, and inconsistent. Engineers had to manually configure servers, networks, and cloud resources, leading to: * Configuration drift: Environments deviating from the intended state. * Slow provisioning: Setting up infrastructure took days or weeks. * Scalability issues: Manually adding/removing

Beneath Floorboards; Underground Man

Readers Alert: If philosophy and psychology make you spiral, proceed with caution. This piece isn’t trying to make sense. It’s here to reflect the madness that is Notes from Underground. What makes this book terrifyingly beautiful is that it’s not about new ideas — it’s about the

Session 3: Evolution & SAST

This TLDR document outlines application deployment evolution from monolithic systems to serverless, highlighting the shift in security practices. Initially focused on perimeter defense, security evolved to include VM, container, and API protection. Now, in cloud-native environments, it emphasizes IAM, automation, and AI-driven threat detection, reflecting the DevSecOps integration. 1. Monolithic

Session 2: Secret Detection

Secrets (passwords, API keys, database credentials, etc.) are essential for applications to function, but their improper handling is a major security risk. Exposing secrets can lead to data breaches, system compromise, and significant financial and reputational damage. Secret Detection & Runtime Security Session 2: Secret Detection - Enhanced What are

Session 1: DevSecOps Introduction

Why DevSecOps? With the rise of cloud computing and rapid software delivery (MVPs, Agile, CI/CD), traditional security models fall short. DevSecOps solves this by embedding security into the development lifecycle. Security must shift left—starting at development—to ensure it's continuous, automated, and integrated without slowing delivery.

Threat Modeling: Tooling and Automation.

Considered through two distinct approaches: threat modeling from code and threat modelling with code. Automating threat modeling depends on various systems, processes, and procedures that exist within an environment, ensuring tailored analysis and mitigation strategies aligned with the specific architecture and operations. Threat modelling from code involves processing system information

Threat Modelling: Methodologies

To follow the series — https://vkfrost.com/tag/threat-modelling/ As Adam Shostack states, “A good threat model is one that produces valid findings.” Threat modelling employs different methodologies to produce useful outcome, These outcome are shaped by factors that vary across different development stages: * Stage 1: No Previous Security Goals