Technical research and field notes from our security consulting practice. We publish what we learn so the broader community benefits.
Broken migrations, deadlocked indexes, and schema drift as silent production vulnerabilities.
Database SecurityTuning PostgreSQL's maintenance daemon for high-transaction systems to prevent availability risks.
Pre-computed visibility maps replaced in-memory graph traversal, eliminating denial-of-service risks.
Database SecurityStatement-level triggers with transition tables were the only way to build efficient audit logging.
Database SecurityPostgreSQL triggers and JSONB for application-agnostic audit trails without modifying application code.
When missing indexes on multi-gigabyte tables turned a routine migration into a production outage.
Application SecurityProfiling-driven optimization that reduced attack surface while improving throughput by 5x.
Code ReviewA code intelligence indexer consumed 8 minutes per run due to repeated AST traversals. Single-pass caching cut it to 24 seconds.
ArchitectureHow a backend's evolution through eight major rewrites revealed operational security tradeoffs at every turn.
A circular dependency caused a security-critical constant to silently evaluate to NaN, breaking git commands for two weeks.
Application SecurityA developer's shell alias masked a malformed RPC call that passed in production.
Application SecurityGo's os.RemoveAll entered an infinite loop when a directory contained over 1024 undeletable entries.