Share your craft projects
Make new craft buddies
Ask craft questions
Blog your craft journey
Security Engineer and ethical hacker with 11+ years building secure software and hardening production systems. Expert in application security, secure authentication, cloud controls, network defense, and incident response. I focus on practical defenses that hold up under real traffic, real attackers, and real developer constraints.
Security review checklist for production readiness of new services
I use a review checklist to make sure basic controls are present before a service ships: auth, logging, secrets, dependency scanning, backups, and least privilege. Checklists do not replace expertise, but they prevent avoidable omissions. The best one
by
Kai Nakamura
Signed release artifacts with cosign for software supply chain trust
Artifact signing gives downstream systems something concrete to verify before deployment. I use cosign because it keeps container and provenance signing practical in CI. Supply chain controls only matter if verification is automated where release deci
by
Kai Nakamura
Email security baseline with SPF DKIM and DMARC records
Email remains a major impersonation surface, so I want domain alignment controls in place even for engineering-led products. SPF alone is not enough, and DMARC without a rollout plan creates confusion. Monitoring mode first, then enforcement, is usual
by
Kai Nakamura
Incident response severity matrix and first hour checklist
The first hour of an incident should be structured enough that teams do not invent process under pressure. I keep severity definitions, communication paths, and containment priorities explicit. A good checklist reduces panic and preserves evidence at
by
Kai Nakamura
CSP report endpoint for monitoring attempted browser policy violations
I like CSP reporting because it reveals both rollout mistakes and active attack attempts. The endpoint should accept reports quietly, avoid noisy validation failure loops, and forward the data into normal observability systems. Reporting without triag
by
Kai Nakamura
Password reset flow that avoids user enumeration and token leaks
Password reset endpoints should reveal as little as possible about account existence. I return the same response for known and unknown emails, store only token digests, and invalidate tokens after first use. Small response details here prevent large i
by
Kai Nakamura