Engineering insights on e-skimming defenses, PCI compliance, and payment security — for teams building systems that handle cardholder data.
Replacing Static GCP Credentials in CI/CD with Workload Identity Federation
Replacing Static GCP Credentials in CI/CD with Workload Identity Federation Part 1 of 2 — Concepts and Architecture If your GitHub Actions workflows authenticate to GCP using a stored secret — a service account key JSON, a FIREBASE_TOKEN, or any other long-lived credential — you have a static credential problem. It doesn’t matter what format the credential is in. The issue is that it exists at rest, in GitHub, and was generated by a person who may no longer work there. ...
Setting Up Workload Identity Federation: An Agent-Assisted Rollout
Setting Up Workload Identity Federation: An Agent-Assisted Rollout Part 2 of 2 — Implementation Part 1 explained the concepts and the three decisions you need to make: where the WIF pool lives, whether to use branch or environment conditions, and who approves production deploys. This post walks through the actual rollout using an AI coding agent (Claude Code) to examine your existing infrastructure, propose a plan, and execute it step by step — with you reviewing and approving at every decision point. The agent handles the mechanical work. You make the security decisions. ...
Understanding Magecart: How E-Skimming Attacks Steal Payment Data
Educational Purpose Only. This article and Lab 1 are strictly for educational purposes. Code examples demonstrate attack techniques to help security professionals understand and defend against them. Never use these techniques on systems you don’t own. What is Magecart? Magecart is not a single hacking group, but an umbrella term for multiple cybercriminal organizations that specialize in stealing payment card data from e-commerce websites. These attacks are also known as: ...