The Attack Surface
I am a software engineer with over 20 years of experience in designing and building software systems. Security has been a recurring part of my work throughout my career - not as a separate discipline, but as an integral aspect of system design, implementation, and long-term maintenance.
I currently work on security-critical aspects of embedded and distributed systems, including secure boot, application security on IoT devices, and the architecture of cloud-based services used to manage and update those devices. Much of this work takes place under real-world constraints: legacy codebases, limited hardware resources, tight schedules, and evolving threat models.
What is this blog?
This blog is a collection of practical observations from that environment. It documents where software security tends to fail in practice, why those failures are often predictable, and what can be done to address them.
The stories shared here are all based on real experiences, but anonymized. They focus on technical and architectural lessons rather than specific products or organizations.
The views expressed here are my own.