https://argemma.com/blog/ Security engineering articles on application security, cryptography, and secure system design. en-us Fri, 06 Mar 2026 00:00:00 +0000 https://argemma.com/blog/go-1.26.1-x509-vulns/ Fri, 06 Mar 2026 00:00:00 +0000 https://argemma.com/blog/go-1.26.1-x509-vulns/ Go 1.26.1 fixes two crypto/x509 CVEs: a name constraint bypass that silently dropped duplicate email keys, and a panic from empty SAN values. https://argemma.com/blog/lethal-trifecta-no-choice/ Wed, 04 Mar 2026 00:00:00 +0000 https://argemma.com/blog/lethal-trifecta-no-choice/ AI coding agents on proprietary code already meet two of the three conditions for data exfiltration. Egress controls are your primary lever. https://argemma.com/blog/go-filepath-clean/ Thu, 29 Jan 2026 00:00:00 +0000 https://argemma.com/blog/go-filepath-clean/ Go's filepath.Clean doesn't prevent path traversal despite its name. Learn why it fails, see a real-world vulnerability, and how os.Root fixes it. https://argemma.com/blog/threat-model-rag/ Wed, 21 Jan 2026 00:00:00 +0000 https://argemma.com/blog/threat-model-rag/ A threat model for RAG features covering untrusted source data, query authorization flaws, sensitive document exposure, and conversation context leaks. https://argemma.com/blog/go-timing/ Mon, 05 Jan 2026 00:00:00 +0000 https://argemma.com/blog/go-timing/ Go's string comparison leaks timing info, but compares in chunks, making timing attacks impractical. However, you should still use constant time comparison.