Security & Compliance Engineering

Compliance becomes engineering the moment the auditor asks for evidence and the evidence has to come from a system the developer wrote. Authentication logs, key rotation timestamps, deployment approvals, data-deletion confirmations — every artifact the audit consumes is produced by code, configured by IaC, or absent because nobody decided who owned it. The articles in this collection treat compliance as a control-flow problem in the codebase rather than a document-management problem in SharePoint.

Compliance-as-code content covers the mechanics. Bicep and Terraform modules that enforce the network-isolation and encryption controls instead of leaving them to a reviewer’s checklist. GitHub branch protection and required-reviewer configuration that produce the change-control evidence A.12.1 expects. Dependabot and provenance attestations that satisfy the supply-chain expectations of recent standards without an external scanner stitched on top.

Audit-trail articles focus on what makes a log entry acceptable as evidence. Application Insights with immutable retention, structured logging that survives a schema change without losing correlation, and audit categories separated from operational logs so privacy-relevant events can be retained and queried independently. A log that cannot be queried by control reference during an audit is not an audit trail.

Evidence generation gets explicit treatment. CLI tooling that produces machine-readable compliance verification, health checks that surface privacy-control state alongside operational state, and incident response playbooks codified as GitHub Actions rather than maintained as a Word document nobody opens during the actual incident.

For the ISO/IEC standards that frame most of this content, see the iso-standards tag. The recurring theme here is broader: GDPR, HIPAA, and the ISO family are different vocabularies for the same engineering problem — building systems whose behavior matches their documentation, automatically and continuously.

Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Spreadsheet-based privacy audits examine yesterday’s system while today’s code deploys undocumented PII. Build .NET CLI tools that discover all personal data, catch expired consents, and verify deletions. Then fail builds when compliance breaks.
Security Tests That Prove Themselves

Security Tests That Prove Themselves

Your security tests run. They pass. But can you prove when they ran and against which code version? Most security testing lives in Word documents, Postman exports, and screenshot folders on SharePoint. The tests themselves might be valid. The evidence trail is not. This article shows how to build CLI-based test suites using xUnit and WebApplicationFactory that generate their own proof: structured logs with timestamps, commit hashes, and correlation IDs captured automatically in CI/CD pipelines. No more quarterly reports that could have been written yesterday. Instead, 847 test executions across 23 deployments, each linked to a specific commit and preserved for 90 days.
Certified, Filed, Forgotten: The Compliance Trainwreck

Certified, Filed, Forgotten: The Compliance Trainwreck

Organization gets certified. Consultants cash their checks. Documentation gets filed somewhere. Then compliance becomes a Word document ritual: screenshot the portal, sign the checklist, ship it. Three months later, an audit exposes configuration drift, hardcoded secrets, and vulnerable dependencies nobody noticed. The forensic evidence disagrees with the signatures. The fix isn’t stricter sign-offs or more checklists. It’s treating compliance as an engineering problem with automated CLI tools that run on every deployment.
"Just Delete the User": Famous Last Words Before the GDPR Audit

"Just Delete the User": Famous Last Words Before the GDPR Audit

Your PM thinks erasure is a quick database DELETE. Three weeks later, you’ve found user data in seventeen places: production DB, analytics warehouse, Redis cache, Elasticsearch, backup tapes, and that legacy system nobody dares touch. “Delete” actually means orchestrating coordinated erasure across distributed systems, maintaining audit trails, notifying third parties, and proving it worked. This guide shows the fatal patterns I’ve seen fail spectacularly, then walks through proper orchestration with Azure Durable Functions, soft-delete with anonymization, verification checks, and immutable audit logs.
Your Azure SQL Backups Won't Save You (Here's Why)

Your Azure SQL Backups Won't Save You (Here's Why)

“We have backups” is the IT equivalent of “thoughts and prayers.” Comforting words that mean nothing when disaster strikes. I’ve watched teams discover their Azure SQL Database backups expired just before an audit, or worse, during an actual outage. The default seven-day retention feels generous until you need data from day eight.

Compliance standards demand information backup in cloud environments, but no standard can enforce what most teams ignore: actually testing those backups. The gap between “we configured backups” and “we can restore our data” has ended careers and companies. This isn’t about checking compliance boxes. It’s about whether your business survives the next outage.