Architecture Decision Records for Security Teams
Why security decisions decay faster than the systems they govern, and how a six-heading ADR turns risk acceptances, exceptions, and design calls into precedent instead of folklore.
Tagged “Engineering”
Why security decisions decay faster than the systems they govern, and how a six-heading ADR turns risk acceptances, exceptions, and design calls into precedent instead of folklore.
The CISA Secure by Design pledge is easy to sign and hard to mean. Here is what each of the seven goals asks of an engineering organization, which practice owns it, and how buyers can tell a commitment from a logo.
A 45-item security architecture review checklist across seven sections, from scope to named sign-offs, with the reasoning behind each section and a free printable version.
Eight tools for threat modeling and security design review, compared honestly by a vendor that competes with most of them: who each one is actually for, what changed after the ThreatModeler-IriusRisk deal, and how AI reshuffled the category.
STRIDE, PASTA, and LINDDUN answer three different questions. A practical comparison of what each methodology finds, what it costs to run, and how to combine them without building a bureaucracy.
The workshop is the scaling bottleneck of threat modeling, not the analysis. How an async-first process covers more systems with less calendar: structured intake, diagrams from what exists, proposed threats, and one short conversation where judgment actually matters.
A practical guide to security design reviews: the six-step process, who needs to be in the room, what a finished review actually contains, and the anti-patterns that turn reviews into theater.
Security culture is not built through compliance training modules. It is built through systems, incentives, and the small decisions that happen every day in engineering teams.