Archive
Posts from 2026
Layered defenses against software supply chain attacks
Software supply chain attacks target the dependencies, build systems, and publishing pipelines that produce the software we run, instead of the application itself. A single compromised package can reach millions of systems before anyone notices, and once it lands, it runs with the same trust and privileges as the rest of your code. The diagram below shows where these attacks typically land along the chain: Defending against this requires controls at every one of those stages. Recent supply chain compromises Two incidents from earlier this year show just how quickly a compromised pipeline can lead to large scale security incidents: LiteLLM (March 2026): A compromised CI/CD pipeline let attackers ship malicious releases of litellm, a widely used AI infrastructure library, that harvested cloud credentials and API keys on install…
$ read more →Visualizing PostgreSQL index types
Over the past few months I've been doing diving deep into PostgreSQL. I've spent a good bit of my career supporting Oracle and MySQL, but over the past few years I've spent more time managing PostgreSQL. I'm super comfortable getting around a psql prompt, but wanted to really dive into the guts of PostgreSQL to take my knowledge to the next level. I started with the PostgreSQL internals documentation…
$ read more →The new AI frontier
It has been a while since I last posted in 2022. A lot has changed since then: the pandemic reshaped how we work, software and infrastructure practices continue to evolve, and AI has become one of the most significant technology shifts I have ever seen. I have always loved learning, and AI has accelerated that process in a meaningful way. It makes it easier to ask focused questions, understand unfamiliar systems, debug problems, and create documentation that reflects what was actually built…
$ read more →