Hi there, I’m Bradley 👋🏻

Security engineer by day (and often by night too…)

This blog is where I try to share my mental models about security that I find useful.

Simple A/B testing with Caddy and Plausible Analytics

This post first appeared on the QueryCal technical blog. A/B testing is a lifesaver for a solo SaaS developer. While it’s hard to predict whether a 14-day or 1-month trial is going to get a better signup rate, it’s really simple to test: show half of people the 14-day button and the other half the 1-month button and just measure the click-through rate. There are loads of tools out there to help you do this, but rule #1 of running a micro-SaaS like QueryCal is to keep your technology stack simple—it’s better to focus your time on features, not integrating a bunch of different technologies....

March 8, 2021 · 6 min · Bradley Kemp

Assurance alerts: when measuring false-positive rate can be misleading

Nobody likes alerts that feel like a waste of time to review. But, how do you tell whether an alert is actually a waste of time? The go-to metric to use is false-positive rate—if an alert has high a false-positive rate then it’s “noisy” and might be getting rid of. But, trying to distill the performance of an alert down to a single number is hard and false-positive rate might be a particularly bad choice....

February 8, 2021 · 8 min · Bradley Kemp

Spending your security goodwill budget wisely

Making users more secure generally means annoying them. Whether it’s making them carry a hardware security key or just enforcing a short screensaver timeout, changing how people go about their work is annoying—and an annoyed user is not a secure user. The effectiveness of a lot of security controls relies on the user cooperating. If they get frustrated with all the barriers and friction between them and doing their actual job, they might just find ways around the controls—their shortened screensaver timeout is soon “fixed” with a keep-awake app and now they’re less secure than they were before....

January 4, 2021 · 7 min · Bradley Kemp

How intrusion detection honeypots work so well

Intrusion detection honeypots are just plain cool. They’re incredibly simple to run and give you extremely accurate alerts about intruders in your systems. A honeypot can be as simple as a fake server inside your network that alerts if anyone connects to it. There’s no reason to intentionally connect to this bogus server, so any attempts are probably an attacker already inside your network. Unfortunately, that’s about as far as most people get with them....

December 8, 2020 · 6 min · Bradley Kemp

Snapshot Testing Is Hard -- Pitfalls To Avoid

Snapshot testing is an extremely fast way to add regression testing to an existing project. You simply take some example inputs and then snapshot the resulting outputs. From then on, you can have a high degree of confidence that any changes you make have not affected backwards compatibility (as this would have been detected as a change in a snapshot). However there are many pitfalls you can run into as I found when writing cupaloy, a snapshot testing library for Go....

December 19, 2017 · 3 min · Bradley Kemp