Image for post
Image for post

While people often say you cannot fight what you can’t see, I say you cannot change what you are not aware of.

Last year, I spoke to a CTO who asked me about vulnerability assessment. I told him yes, it’s important to be aware of the vulnerabilities you have. Still, it shouldn’t make everyone put down their tools, and rush to fix every one of the vulnerabilities found.

Why? Ask yourself, what has changed? Has the risk changed? No, the risk in production was already set when you deployed it. What has changed is the awareness of the risks! …

Image for post
Image for post

I wrote this in 2019, but not much has changed except a few acquisitions, but a new comer has become a rockstar now.


A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries, and settings.

— Docker a major player in container technology

Containers are a solution to the problem of how to get software…

In criminology, there are three elements — motives, opportunities and means.

Image for post
Image for post

To disrupt bad things, removing any of the three would work, but they’re not equal. That’s why a lot of places ban guns, cryptos…etc… Removing the means is easy to do, but most criminologists would have told you the effect is short-lived.

Some places ban the practices of pressure selling, and criminals using human natures against themselves, that is removing the opportunities, but still, it’s not easy to do, and the effect is very difficult to measure.

In the Art of War, it says “top strategy targets the hearts.”…

Image for post
Image for post

Dear Founders:

Do you remember how you made your first friend at kindergarten? Did you say “Hi, my name is John, can I play with you?” or did you just walk up to another kid and start playing in parallel?

Now, forget the costly McKinsey consultants told you about breaking the silo, which is common sense. They’re very good at contradicting themselves because the same consultant would have also said to you that you should reduce cost, so you can afford to pay them.

What’s needed is to have people play in parallel. In this case, playing could be development…

I told everyone I’ve spoken to that “What took DevOps 10 years, will only take DevSecOps 3–5 years,” and I said that in 2017. Nowadays, you’ll see companies are still stuck in the last century insisting on their differences, instead of embracing the fact that “DevSecOps is dead; long live DevOps.”

Shifting Common Sense to the Left

Now, before you jumped up and punch me in my face, let me explain. Last year, I was trying to design a DevSecOps diagram to help drive/educate its adoption. I reached out to the group CTO and said, ”… without DevOps, there’s no…

Lately, you probably heard many people talking about “checks and balances in government” without knowing what exactly they are. I’m no expert in politics so I don’t know what such things are either. However, it got me thinking about two very different approaches regarding the security of intellectual properties (IP).

A Tale of Two Companies

Company A has a policy of banning the use of personal GitHub repository for work. It subscribes to surveillance services to monitor for leaks of IP. However, company IP keeps on being made public through personal repositories, and alike. …

These are the questions Mark Shuttleworth asked me and my replies.

What are the key customer problems to solve?

We aim to be the aggregator of multi-cloud world by creating an open framework that facilitates truly define once and operate everywhere. We don’t want laughable solutions that simply transpose cloud-specific variables into domain-specific-language which meant to define a subnet; you’ll have to repeat the almost-identical, yet-slightly-different keywords for AWS, Azure, and GCP. It’s what Terraform does, and what I’m proposing is what Terraform wants to be. An example would be like a Java VM or .net common runtime that translates…

Hi, everyone. I’m sure some of you may have noticed that our lives have been a little bit interrupted because of a microscopic virus called coronavirus. You can find a short story named “CVSS Score of COVID-19” on Medium I wrote in March just before I got COVID myself.

This pandemic made me think of living vs surviving. What does this have to do with security? You got it. Life is surviving WITH security! Security is the endeavour of continuously trying to eradicate the unknowns because fear comes from the risk of the unknowns.

Security is A Mindset

A little…

CVSS has been one of the mainstay tools for estimating risk.

It’s less frequently used in computer viruses, but even less used in human-to-human transmission of a DNA virus. However, why not? In a computer world, there are networks, hosts, and a malware/virus travels across the network to incapacitate hosts.

The same things apply to human networks, while humans are hosts, and user is the almighty.

Image for post
Image for post

Base Metric Group

Exploitability metrics

Attack Vector (AV)

Adjacent (A)
Easy OTA transmission to another human with close contact (see below)

Attack Complexity (AC)

Low (L)
A close contact is defined as one of the followings:

  • Any person who had contact (within…

Alvin Chang

Explorer of the Merkle Forest |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store