API Security Testing Guide: OWASP API Top 10 for SaaS and Fintech
What to test and how to fix BOLA, auth flaws, and injection. Practical guide for engineering and security teams.
Research index
Technical articles and case studies grouped by domain. For recruiters: a clear map of expertise (AppSec, cloud, Kubernetes, threat research, detection). For clients: proof of depth and how it connects to consulting services.
API & Application Security
Web and API security for SaaS and fintech: OWASP-focused testing, access control, injection, and multi-tenant risks. Tied to penetration testing and API security engagements.
Top Web Application Vulnerabilities in SaaS Platforms
Broken access control, injection, auth flaws, misconfiguration. What to test and fix first.
Common SaaS Security Risks: What to Address First
Authentication, multi-tenancy, APIs, secrets, and supply chain. For CTOs and engineering leads building or scaling SaaS.
Cloud & AWS Security
AWS (and cloud) security audits: IAM, S3, networking, logging, and compliance. How to prepare for SOC 2 or external audits and fix common misconfigurations.
AWS Security Audit Checklist: What Auditors Check and How to Prepare
IAM, S3, networking, logging, and compliance. Prepare for SOC 2 or external audits without slowing engineering.
How SaaS Startups Fail AWS Security Audits (and How to Pass)
IAM sprawl, S3 exposure, missing CloudTrail, weak networking. Practical fix plan for CTOs and platform teams.
How Startups Prepare for SOC 2 Security Reviews
Scope, controls, evidence, and timelines. For CTOs and engineering leads preparing for a first or renewal audit.
Kubernetes & Container Security
Cluster and workload security: RBAC, NetworkPolicies, secrets, and image hygiene. Practical checklists for platform and engineering teams running production Kubernetes.
Kubernetes Security Best Practices: Top 10 Mistakes and How to Fix Them
RBAC, NetworkPolicies, secrets, workload hardening. Practical checklist for platform and engineering teams.
Threat Research
Threat-focused analysis and attack paths: tenant isolation, API abuse, cloud IAM escalation. Connects offensive testing experience to defensive guidance.
SaaS & Multi-Tenant Security: Threat Briefs
Tenant isolation, API access control, IDOR/BOLA. Threat briefs and remediation for B2B SaaS.
API Abuse & OWASP API Top 10
BOLA, auth flaws, injection, rate limiting. Testing and hardening APIs for SaaS and fintech.
Cloud IAM & Privilege Escalation Paths
AWS/GCP IAM misuse, permission boundaries. How to find and fix privilege escalation.
Detection Engineering
Logging, alerting, and detection for cloud and applications. CloudTrail and guardrails, API abuse detection, and evidence for compliance and incident response.
AWS Security Audit Checklist: Logging & Monitoring
CloudTrail, guardrails, and what auditors expect for logging and alerting in AWS environments.
SOC 2: Logging and Incident Response Evidence
What evidence auditors look for around logging, monitoring, and incident response readiness.
Case Studies / Practical Write-ups
Anonymized engagements: problem, approach, and outcome. Shows how findings are documented and how remediation is delivered to engineering teams.
SaaS API Access Control Vulnerability
IDOR across tenants; authorization at the data layer and UUIDs. Problem, approach, outcome.
Public S3 Bucket Data Exposure
Bucket policy and public access; Block Public Access and least-privilege IAM. Problem, approach, outcome.
Privilege Escalation in Cloud IAM
Developer role with iam:PassRole/CreatePolicyVersion; permission boundaries and least privilege. Problem, approach, outcome.
Report Deliverables: What You Get
Executive summary, technical findings with CVSS, proof of concept, remediation guidance. Structure of every engagement.
Also on this site
Consulting & proof:
Threat Research Series
Write-ups
Services
Case studies
Reports
Blog
About
Contact