Security
Architecture

The discipline of building applications that are hard to attack, where security is a property of the code, the dependencies, the build, and the runtime — not a layer added afterward by a separate team.

The discipline of knowing *who* is making a request and *whether* they should be allowed to make it — two distinct problems that are repeatedly conflated, and whose conflation is responsible for a substantial fraction of the access-control bugs in production applications.

The discipline of operating cloud workloads securely — recognising that the cloud changes which threats matter, which controls work, and which mistakes are catastrophic. The cloud is not on-premises with someone else's hardware; it is a different security regime with different failure modes.

The discipline of using cryptography correctly — encrypting what should be encrypted, managing keys with operational rigour, choosing algorithms that survive the next decade, and recognising what encryption does and does not protect against.

The discipline of finding, prioritising, and remediating vulnerabilities at the rate they appear — recognising that discovery is incomplete by definition, prioritisation is a judgement that scores cannot replace, and remediation is a workflow rather than a spreadsheet.