Supply chain risk is not just malware and compromised vendors.

It also includes ordinary dependencies:
SDKs
hosted scripts
embedded web content
analytics platforms
remote code paths

A .gov badge does not shrink the attack surface.

#CyberSecurity #AppSec #SecurityArchitecture

Why Cybersecurity Must Be a Business Model — Understanding the Business Model for Information Security (BMIS)! In many organizations, cybersecurity is still primarily viewed as a technical problem. Investments focus on tools such as firewalls, endpoint protection, or monitoring platforms.

Why Cybersecurity Must Be a Business Model — Understanding the Business Model for Information Security (BMIS)!
#CyberSecurity #CloudSecurity #CloudComputing #InformationSecurity #RiskManagement #SecurityArchitecture #BMIS #coolstuff #mvpbuzz
👇👇👇👇
www.linkedin.com/pulse/why-cy...

Why Cybersecurity Must Be a Business Model — Understanding the Business Model for Information Security (BMIS)! In many organizations, cybersecurity is still primarily viewed as a technical problem. Investments focus on tools such as firewalls, endpoint protection, or monitoring platforms.

Why Cybersecurity Must Be a Business Model — Understanding the Business Model for Information Security (BMIS)!
#CyberSecurity #CloudSecurity #CloudComputing #InformationSecurity #RiskManagement #SecurityArchitecture #BMIS #coolstuff #mvpbuzz
👇👇👇👇
www.linkedin.com/pulse/why-cy...

When Security Architecture Depends on Tribal Knowledge – Jim Guckin Post navigation

Every organization has a “Mike.”

The one who knows how everything works.

That’s not a strength. That’s a risk.

New article: When Security Architecture Depends on Tribal Knowledge

jimguckin.com/2026/03/19/w...

#CyberSecurity #SecurityArchitecture #InfoSec #SecurityLeadership

Google Accused of Sharing User Data with Chinese Entities | Law.com An attorney said that to avoid accidental violations, companies that handle a lot of data need to have a strong understanding of their own security architecture.

"An attorney said that to avoid accidental violations, companies that handle a lot of data need to have a strong understanding of their own #SecurityArchitecture." #InformationGovernance www.law.com/corpcounsel/...

Why Cybersecurity Must Be a Business Model — Understanding the Business Model for Information Security (BMIS)! In many organizations, cybersecurity is still primarily viewed as a technical problem. Investments focus on tools such as firewalls, endpoint protection, or monitoring platforms.

Why Cybersecurity Must Be a Business Model — Understanding the Business Model for Information Security (BMIS)!
#CyberSecurity #CloudSecurity #CloudComputing #InformationSecurity #RiskManagement #SecurityArchitecture #BMIS #coolstuff #mvpbuzz
👇👇👇👇
www.linkedin.com/pulse/why-cy...

US Strategic posture from NSS to NDS: The Future of US allies in the Asia-Pacific region - Stratheia Trump’s NSS 2025 shifts US strategy toward China and allies, raising questions about Asia-Pacific security and burden sharing.

The future of the Asia-Pacific security architecture may depend on one key question: Will US allies deepen military cooperation with Washington—or pursue pragmatic engagement with China?
#AsiaPacificStrategy #USChinaCompetition #SecurityArchitecture
stratheia.com/us-strategic...

🔐 Warum viele Unternehmen trotz Sicherheitsmassnahmen kein „aktives Cybersecurity-Programm“ haben! Viele Unternehmen haben Sicherheitsmaßnahmen – aber kein aktives Cybersecurity-Programm. Firewalls, Endpoint Protection, Backups, MFA, Cloud Security – in vielen Organisationen existieren bereits zahl...

🔐 Warum viele Unternehmen trotz Sicherheitsmassnahmen kein „aktives Cybersecurity-Programm“ haben!

#CyberSecurity #CloudSecurity #CloudComputing #InformationSecurity #RiskManagement #SecurityArchitecture #coolstuff #mvpbuzz

👇👇👇👇
www.linkedin.com/pulse/warum-...

🔒 Bajo el capó: Arquitectura de seguridad de GitHub Agentic Workflows

Descubre cómo el aislamiento y el registro mantienen seg

github.blog/ai-and-ml/generative-ai/...

#GitHubActions #SecurityArchitecture #AgenticAI #RoxsRoss

Modeling SABSA Security Architecture in ArchiMate with Archi <p>SABSA® (Sherwood Applied Business Security Architecture) is a methodology for developing risk-driven enterprise information security and information assurance architectures and for delivering secur...

Looking to level up your EA toolkit? 📈

Learn how to effectively model SABSA in ArchiMate with my top-rated Udemy course. Practical, professional, and essential for modern security-minded architectures.

Enroll today:
www.udemy.com/course/model...

#EA #SecurityArchitecture #Archi #SABSA

I think we need a new category in insider threat: tool-mediated risk.
A system can stay inside authorization and still violate intent. That is a governance failure, not a “user mistake.”
#InsiderThreat #HumanRisk #AIGovernance
#SecurityArchitecture #DataProtection

Monday — New Article
X

Headline: Advanced Homelab Networking & Security — Leveling Up Your Lab
Most homelab setups work… until they don’t. Hidden misconfigurations and weak segmentation quietly create risk long before anything breaks.

#homelab #networkengineering #securityarchitecture #itlearning

The First Rule of Zero Trust Is That Everyone Is Still Trusting Something By Bradley Schagrin

The First Rule of Zero Trust Is That Everyone Is Still Trusting Something

shorturl.at/AZhbZ
#Cybersecurity
#IdentitySecurity
#ZeroTrust
#IdentityFirst

#SecurityArchitecture
#SecurityStrategy
#DigitalIdentity
#RiskManagement

The First Rule of Zero Trust Is That Everyone Is Still Trusting Something By Bradley Schagrin

The First Rule of Zero Trust Is That Everyone Is Still Trusting Something

shorturl.at/AZhbZ
#Cybersecurity
#IdentitySecurity
#ZeroTrust
#IdentityFirst

#SecurityArchitecture
#SecurityStrategy
#DigitalIdentity
#RiskManagement

Security Doesn’t Fail During Breaches. It Fails on Tuesdays. By Bradley Schagrin

Security Doesn’t Fail During Breaches.
It Fails on Tuesdays.

shorturl.at/fBwNS
#CyberSecurity
#IdentitySecurity
#SecurityArchitecture
#RiskManagement
#SecurityCulture
#IdentityAndAccessManagement

#ObserveID

Security Doesn’t Fail During Breaches. It Fails on Tuesdays. By Bradley Schagrin

Security Doesn’t Fail During Breaches.
It Fails on Tuesdays.

shorturl.at/VN2zC
#CyberSecurity
#IdentitySecurity
#SecurityArchitecture
#RiskManagement
#SecurityCulture
#IdentityAndAccessManagement

#ObserveID

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity

Why Every Cybersecurity Architect Should Know How Software Actually Works I once sat in a meeting where a very earnest security analyst spent several minutes explaining why a particular application was “high risk”. At the end, one of the developers raised a hand and asked a dangerous question: “Have you actually looked at the code?” The room went quiet. Not _awkward_ quiet. The kind of quiet where everyone realises the answer is “no”, and also realises that answering honestly would make the last twenty minutes feel like an interpretive dance about security rather than security itself. This is the dirty little secret of a lot of cybersecurity: it’s often done by people who don’t really understand how software behaves once it leaves the whiteboard. If you don’t understand software, what you’re doing isn’t cybersecurity assessment. It’s interior design. You’re picking colours. You’re arranging furniture. You’re arguing about where the trust boundary _ought_ to be, not where it actually is. And then you’re surprised when an attacker walks straight through a wall you thought was load-bearing. Software is not static. It is not a diagram. It is a living thing made of edge cases, historical accidents, and one-line fixes added at 2 a.m. because “this should never happen” just happened in production. When security analysts don’t understand software, they compensate with documents. Lots of them. Threat models that read like speculative fiction. DAST reports that flag “critical vulnerabilities” on endpoints that don’t exist anymore. Controls mapped to frameworks mapped to other frameworks, until nobody can remember what the original problem was. This looks like rigour. It isn’t. I have nothing against DAST tools. Or SAST tools. Or any of the other four-letter acronyms that vendors assure us will “shift security left” (usually right into your CI pipeline, where it will be promptly ignored). The problem starts when the tool becomes the understanding. If your mental model of an application is whatever your scanner discovered last night, you don’t understand the application. You understand your scanner. Those are not the same thing. Real software behaviour lives in places these tools struggle to see: * Feature flags that change execution paths at runtime * Configuration files that quietly override “secure defaults” * Third-party libraries that are technically present but never called * Code paths that only execute on the third Tuesday of the month when billing runs A scanner will happily report a SQL injection in code that hasn’t been called since 2019. A developer will tell you, in about thirty seconds, why it doesn’t matter. But you have to be able to _talk_ to developers to get that answer. And that requires speaking software. There’s a special place in my heart for threat models that list “attacker compromises system” as a step. That’s not a threat model. That’s the blurb on the back of a techno-thriller. Good threat modelling starts with unglamorous questions: * Where does input actually enter the system? * What data is mutable, and by whom? * What assumptions does this function make about its caller? * What happens when this call fails in a weird way? You can’t answer those from architecture diagrams alone. You answer them by reading code, or at least understanding how code _tends_ to be written in the language and framework you’re dealing with. If you’ve never wrestled with a real codebase, you will consistently overestimate the importance of “big scary components” and underestimate the danger of boring glue code. Attackers don’t break systems by attacking the grand design. They trip over the bits everyone assumed were too dull to worry about. Here’s another uncomfortable truth: developers can usually tell, within minutes, whether a security analyst understands software. They listen for tells. Vague language. Overconfident assertions. Recommendations that are technically correct but operationally impossible. When they hear those, a little switch flips in their head labelled _“compliance theatre”_. Once that switch flips, you’re done. They’ll nod. They’ll file the ticket. They’ll do the minimum required to make the finding go away. Not because they’re lazy, but because you’ve demonstrated that you don’t inhabit the same reality they do. The irony is that developers are usually _desperate_ for security input that actually helps. They want someone who can say, “This pattern is dangerous, and here’s a safer one that won’t ruin your sprint.” That only comes from understanding how software is built under real constraints. Security architecture is a software discipline whether it likes it or not. You don’t have to be a brilliant programmer. You don’t need to write production code every day. But you do need enough literacy to reason about control flow, state, failure modes, and unintended consequences. Otherwise, you’re not designing defences. You’re narrating intentions. And attackers, inconveniently, don’t care what your intentions were. ### Like this: Like Loading...

#securityarchitecture

https://islandinthenet.com/how-software-actually-works/

Why Every Cybersecurity Architect Should Know How Software Actually Works Security architecture only works when architects understand how software really behaves, not just diagrams, frameworks, or compliance checklists.

#securityarchitecture

Zero-Trust: The Paradox Behind the Cybersecurity Illusion
#ZeroTrust #CyberSecurity #AI #GPT #LLM #SecurityArchitecture #CTEM #InHouseSecurity #CyberRisk #Infosec #SecurityEngineering #TrustButVerify
vaptgpt.com
www.linkedin.com/pulse/zero-t...

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity

NEW! A Leanpub Podcast Interview with Sal Kimmich, Author of Code, Chips and Control: The Security Posture of Digital Isolation

Watch here: youtu.be/kfeJVv7boNs

#books #leanpublishing #selfpublishing #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource

Security Fails Because We Don’t Understand What We’re Seeing By Bradley Schagrin

Securuty Fails, Because We Don’t Know What We’re Seeing

shorturl.at/Jn5Oz
#Cybersecurity

#IdentitySecurity

#SecurityArchitecture

#ZeroTrust

#IAM

#EnterpriseSecurity

#IAM
#PAM
#Cybersecurity
#IdentitySecurity
#ZeroTrust#IAM
#ObserveID

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity

NEW! A Leanpub Podcast Interview with Sal Kimmich, Author of Code, Chips and Control: The Security Posture of Digital Isolation

Watch here: youtu.be/kfeJVv7boNs

#books #leanpublishing #selfpublishing #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops

Heute in München bei @microsoft.com

Zwei Themen, die mich beschäftigen:

🔹 Defender XDR & Security Copilot – s
🔹 Souveräne Cloud im KRITIS-Umfeld

#sentinel #copilot #defender #xdr #purview #cloudsecurity #microsoft365 #entra #zerotrust #kritis #cybersecurity #infosec #securityarchitecture

Security Review Philosophy: Collaboration Over Compliance I’ve spent the better part of two decades watching application security reviews fail in predictable ways. They fail when security becomes a gate instead of a partnership. They fail when documentation becomes performative rather than diagnostic. They fail when the people conducting the reviews lack the authority to influence outcomes but carry all the responsibility for risk. After enough iterations, enough frustrated application teams, and enough security incidents that slipped through elaborate review processes, I built something different. The document I’ve shared here represents a synthesis of those failures and the lessons extracted from them. It’s not revolutionary—there are no novel security controls or cutting-edge threat modelling frameworks embedded in these procedures. What it does attempt is something more fundamental: it tries to create a structure where security review becomes a collaborative exercise in understanding rather than a compliance checkbox. The philosophy underpinning these procedures acknowledges a simple truth that many security organisations struggle to accept: application teams aren’t trying to circumvent security, they’re trying to deliver business value within constraints they may not fully understand. The first design choice—placing the Security Solutions Architect at the centre of coordination—isn’t about centralising power. It’s about creating accountability. When everyone is responsible for security, no one is responsible for security. The SSA role exists to be the single thread that pulls together enterprise architecture concerns, risk management decisions, peer review feedback, and CISO oversight into a coherent assessment. This person isn’t a gatekeeper; they’re a translator and coordinator who ensures that the application team’s technical reality gets accurately represented to the various governance bodies that need to understand it. But here’s the trade-off: this model requires security architects who can operate across multiple domains. They need to understand threat modelling and risk assessment, yes, but they also need to navigate enterprise architecture politics, speak the language of application developers, and know when to escalate to the CISO versus when to work through issues collaboratively. Finding people who can do this well is harder than finding people who can identify OWASP Top 10 vulnerabilities. Training them takes time. The process documentation can’t compensate for lack of skill or judgement. The questionnaire-driven approach in Step 2 addresses a problem I’ve encountered repeatedly: application teams and security teams often talk past each other because they’re operating with different mental models of the system. Asking for architecture diagrams with labelled protocols and networks, data flow diagrams, and sequence diagrams forces both parties to develop a shared understanding of what actually exists. The assurance documentation—SAST, DAST, SOC 2 Type 2 reports—isn’t about ticking boxes. It’s about establishing a baseline of external validation that the security team can build upon rather than starting from zero trust. The RBAC matrix and encryption evidence requirements deserve special attention. These are areas where I’ve seen the most significant gaps between what application teams think they’ve implemented and what actually exists in production. Requiring explicit proof of IAM onboarding and SIEM configuration isn’t bureaucratic overhead—it’s a recognition that without observability and access control, every other security control becomes theoretical. You can’t detect or respond to what you can’t see, and you can’t enforce least privilege without role definitions. The cyber significance assessment in Step 4 is a filtering mechanism born from pragmatism. Not every application deserves the same level of scrutiny. A marketing website that collects email addresses for a newsletter isn’t equivalent to a payment processing system or a platform that handles PHI. The risk-based approach here prevents security teams from becoming bottlenecks whilst ensuring that genuinely significant applications receive appropriate attention. The challenge is defining “cyber significant” in ways that make sense to both security and business stakeholders. I’ve deliberately kept the definition broad—applications that process or store information directly relevant to the organisation’s business mission—because rigid categories inevitably miss edge cases. Involving the Enterprise Architecture Board at Step 5 is perhaps the most controversial design decision. Many security processes treat enterprise architecture as a separate concern, something that happens before or after security review. I’ve found this separation creates blind spots. Architecture decisions about technology stack, deployment model, or data residency have profound security implications. Conversely, security requirements influence architecture in ways that affect performance, cost, and operational complexity. The EAB review ensures these concerns get addressed in an integrated way rather than creating conflicts that application teams have to resolve through workarounds. The threat assessment in Step 7 is where theory meets reality. Questionnaires and documentation provide structure, but understanding the actual threat landscape for a specific application requires conversation. What works for a B2B API won’t work for a consumer-facing mobile application. Threat modelling frameworks like STRIDE or PASTA provide useful starting points, but the SSA needs enough context about the business function, the users, the data sensitivity, and the deployment environment to conduct meaningful threat assessment. This is why meetings with application teams are mandatory rather than optional. You can’t threat model by email. The Risk Management Forum review in Step 8 introduces formal risk acceptance into the process. This is critical because perfect security doesn’t exist. Every application ships with residual risk, and someone with appropriate authority needs to acknowledge and accept that risk. The alternative—security teams identifying issues without clear risk ownership—creates a situation where findings get documented but never resolved, and everyone can later claim they weren’t responsible for the decision. The threat/risk scoring matrix provides a structured way to communicate severity without falling into the trap of treating all security findings as equally critical. The requirement for CISO approval when PHI or PII moves to the cloud in Step 10 reflects regulatory reality in financial services and healthcare. This isn’t security theatre—it’s acknowledging that certain data handling decisions carry legal and reputational consequences beyond technical security concerns. The CISO needs visibility into these decisions because they’re accountable for the organisation’s overall security and compliance posture. The trade-off is that this can become a bottleneck if not managed carefully. Clear criteria for what requires CISO review versus what the SSA can approve helps prevent everything from escalating. The Security Peer Review Forum in Step 12 addresses a problem I’ve seen repeatedly: individual architects, no matter how skilled, have blind spots. Peer review distributes the cognitive load of security assessment across multiple people with different backgrounds and experiences. It also creates consistency across assessments. When multiple SSAs are conducting reviews, peer forums help ensure that one architect’s risk appetite doesn’t significantly diverge from another’s. The challenge is making these forums efficient. If every review requires an hour-long meeting with six people, the process becomes unsustainable. The key is focusing peer review on novel architectures, significant risks, or cases where the SSA is uncertain about the assessment. Step 13—resolving design deficiencies—is where the rubber meets the road. The procedure creates a forcing function: the application team either commits to fixing issues before going live, or the risks get formally added to the enterprise risk register. This prevents the common pattern where security issues get identified, everyone nods seriously, and then nothing changes. The Corrective Action Report with timeline creates accountability. The enterprise risk register creates visibility. Neither is sufficient alone, but together they make it harder for identified risks to simply disappear into the backlog and never get addressed. The final peer review in Step 14 serves as a quality gate. It’s the SSA’s colleagues reviewing the SSA’s work product to ensure the assessment was thorough and the conclusions are sound. This protects both the organisation and the individual architect from assessment failures that only become apparent after incidents occur. The challenges of implementing this process are significant. It requires security architects with broad skills, application teams willing to invest time in documentation, and an organisational culture that treats security as a shared responsibility rather than a separate department’s problem. It requires executive support for risk acceptance decisions and consequences when risks aren’t properly managed. It requires tooling to track assessments, findings, and remediation timelines. Most difficult of all, it requires trust between security and application teams—trust that security is trying to help rather than obstruct, and trust that application teams will be honest about constraints and limitations rather than gaming the process. I’ve seen organisations try to implement security review processes without these foundations, and they typically devolve into either rubber-stamp exercises that provide false assurance or antagonistic relationships where security becomes an obstacle to be routed around. The procedures documented here are my attempt to avoid both failure modes by creating a structure that’s rigorous enough to actually assess risk but collaborative enough to remain sustainable. Whether it works depends less on the procedures themselves and more on the people executing them and the culture they operate within. ### Like this: Like Loading...

#securityarchitecture #appsec

islandinthenet.com/collaboration-over-compl...

Security Review Philosophy: Collaboration Over Compliance Application security reviews fail when they become gates instead of partnerships—here's how to build a process that actually works through collaboration and shared understanding.

#securityarchitecture #appsec