I’m working on OurCodeLab, a Singapore-based startup. After 11+ years in DevSecOps, I noticed a lot of local SMEs are either overpaying for simple sites or using insecure, bloated templates.
I’m trying to solve this by building high-quality, lightweight landing pages at the most affordable rate possible. Right now, I’m running a promotion: we’ll build your landing page (up to 2 pages) for free if we handle your domain hosting.
I craft each site individually to ensure they meet modern web and cyber standards—no copy-paste layouts. I’d love to hear your thoughts on the model or any feedback on the tech stack.
If you're an SME or know one that needs a hand, reach out at farath@ourcodelab.com for a non-obligatory chat.
Interlock ransomware was inside firewall management consoles since January 26. Cisco didn't patch until March 4. No credentials required — unauthenticated Java deserialization, code execution as root, full control of every managed firewall device.
Also in this fortnight: Ivanti EPMM RCE (again), an Azure MCP SSRF that leaks managed identity tokens, and a 2019 Log4j CVE that just got its first SAP patch in 2026.
I’ve published a new issue of my DevSecOps‑focused security brief. This one is centered on control‑plane risk rather than just app CVEs:
Microsoft February 2026 Patch Tuesday: 6 in‑the‑wild zero‑days, 50+ vulnerabilities, heavy on elevation‑of‑privilege and security feature bypass (SmartScreen/MoTW, Office/OLE, MSHTML).
CVE‑2026‑1731 in BeyondTrust Remote Support / Privileged Remote Access: pre‑auth RCE on a privileged access gateway, now on CISA KEV and actively exploited.
Critical vulns in WordPress plugins and SmarterMail turning “just the blog/mail server” into a realistic pivot into internal systems.
How to wire SAST/SCA/DAST/IAST around these: KEV‑driven SLAs, treating remote support / RDS / WordPress / mail as first‑class AppSec surfaces.
Audience: DevSecOps, AppSec, and platform teams who care about pipelines, SLAs, and realistic attacker paths (not just theoretical bugs).
Reactive patching is dead. Attackers are weaponizing zero-days faster than teams can patch—we’ve seen three actively exploited CVEs in two weeks (CVE-2026-21509, CVE-2026-20805, CVE-2026-1281).
The real insight: teams moving fastest aren’t patching first. They’re preventing exploitable code from entering the pipeline in the first place.
SAST catches vulnerable patterns during code review. SCA flags known-bad dependencies before they ship. DAST/IAST surfaces runtime behaviors that static tools miss. Together, they create friction that forces attackers to work harder.
The gap most teams miss: these tools only work if they’re integrated into CI/CD gates with real SLAs. A SAST warning at code review that takes 3 weeks to resolve is just noise.
I’ve been covering DevSecOps in enterprise environments for 11+ years. The difference between teams that stay ahead vs. those that stay reactive comes down to this: do you own your supply chain and build pipeline, or do you let attackers choose the battlefield?
I’ve written a deeper breakdown on how SAST/SCA/DAST/IAST actually complement each other across build → deploy → operate phases, plus real remediation playbooks for this fortnight’s threats.
https://open.substack.com/pub/farathappsec/p/faraths-biweekl...
(Bi-weekly code security newsletter for DevSecOps teams—real CVEs, real tooling, real strategy.)
Why this works for HN:
• Technical substance first: Specific CVEs, tool mechanics, pipeline architecture
• Authentic expertise: Establishes credibility without sales speak (“11+ years”)
• Practical insight: Identifies the real gap (SLAs + CI/CD gates, not just tools)
• Discussion-friendly: Opens conversation about supply chain security, tool integration
• Transparent promotion: Link is contextual, not pushy
• HN tone: Direct, thoughtful, assumes technical audience
Hey HN – I curate a weekly newsletter of real DevOps, SRE, and DevSecOps roles (no recruiter spam).
This week: 35 positions from the past 2 weeks across USA, Singapore, and Europe.
Highlights:
• Netflix (SRE L5, Remote)
• Cisco Meraki (Senior SRE, $146K-$214K)
• Fidelity (Director SRE, Remote)
• Zelis (Senior K8s Platform Engineer, $139K-$186K)
• GIC Singapore (AVP/VP Observability & SRE)
Salary ranges: $120K–$214K (USA) | €60K–€110K (Europe) | SGD $7K–$9K/month (Singapore)
All links verified, no dead posts.
First edition covers:
• Microsoft Patch Tuesday (114 vulns, active DWM zero-day)
• SAP critical SQLi + RFC backdoors in S/4HANA/NetWeaver
• n8n RCE (public PoC, mass scanning)
• Drupal 7 session hijacking (CVE-2026-0749)
Each broken down by:
• How it surfaces in scans
• Pipeline remediation steps
• Build/deploy/run tuning
Targeted at DevSecOps/SAP teams shipping secure without slowdowns.
I’m working on OurCodeLab, a Singapore-based startup. After 11+ years in DevSecOps, I noticed a lot of local SMEs are either overpaying for simple sites or using insecure, bloated templates.
I’m trying to solve this by building high-quality, lightweight landing pages at the most affordable rate possible. Right now, I’m running a promotion: we’ll build your landing page (up to 2 pages) for free if we handle your domain hosting.
I craft each site individually to ensure they meet modern web and cyber standards—no copy-paste layouts. I’d love to hear your thoughts on the model or any feedback on the tech stack.
If you're an SME or know one that needs a hand, reach out at farath@ourcodelab.com for a non-obligatory chat.
reply