As the co-creator of SAML and User-Managed Access, former CTO of ForgeRock, and author of the forthcoming Mastering Digital Identity: From Risk to Revenue, Eve introduces a sharper lens: identity is a product. The teams that own it intentionally ship faster, convert better, and lose less to fraud. The ones that don’t are one incident away from finding out why it mattered.

Eve shares her Four Ps framework: Protection, Personalization, Payment, and People, and explains why fraud is a design problem long before it becomes a detection problem. She also makes the case for why decentralized identity isn’t a future trend to monitor. It’s a present-tense decision your team is already making, whether you know it or not.

Topics Covered

• Why identity is part of your technology strategy

• What “identity strategy” actually means for developers (not just CISOs)

• The Four Ps framework: Protection, Personalization, Payment, and People

• Why identity and payments are inseparable, and what’s at stake when they’re not designed together

• Fraud as a design problem: modeling happy paths and unhappy paths

• The cost of separating fraud teams from development teams

• What changes when your org has a dedicated identity product owner

• Decentralized identity: why it’s happening now, and what developers need to know

• How to make the case for identity investment to a CEO or board

• Baking identity in from the start vs. scrambling to fix it after launch

About Eve Maler

Eve Maler is President and Founder of Venn Factory and an award-winning Digital Identity Strategist, whose work has influenced how people, organizations, and technologies establish identity, exchange data, and operate securely at scale. From early Internet standards such as XML to identity-defining protocols including SAML and User-Managed Access, Eve has helped build the underlying systems that enterprises around the world rely on every day.

Her career in identity spans 25+ years, from Technology Director at Sun Microsystems to Chief Technology Officer of ForgeRock, where she brought identity innovation strategy to dozens of Global 5000 brands. As a former Forrester Research security analyst and now founder of Venn Factory, Eve transforms companies’ digital identity strategies from a cost center into a growth engine by reducing friction, optimizing security and privacy protection, and unlocking new revenue opportunities.

Her influence can be seen across global initiatives, including UK Open Banking and U.S. and Canadian health IT efforts.

An author, speaker, and board member, Eve is known for connecting technical reality with business outcomes and for showing why, when identity is done right, it becomes one of the most powerful levers of competitive advantage.

• Connect with our guest Eve Maler: https://www.linkedin.com/in/eve-maler

Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication.

Try the tutorial free

In this episode, Damien explains why DevSecOps engineers are “the glue”, the people connecting developers, operations, legal, and compliance into a single security-minded team. He walks through the patterns that repeat across every cloud platform, why the first thing you should automate is your CI/CD pipeline, and how to think about LLM risks (hallucinations, data residency, prompt injection) when you’re working in regulated environments. He also shares the story of a woman in Africa who used the DevSec Blueprint to land her first internship, proof that accessible education works.

The bottom line: security isn’t something you bolt on at the end. It’s a shared responsibility. And the sooner your team internalizes that, the faster (and safer) you’ll ship.

Topics Covered

• Why DevSecOps is a cultural movement, not a job title

• DevSecOps engineers are “the glue”: connecting developers, operations, legal, and compliance

• The DevSec Blueprint: an open-source learning guide for breaking into DevSecOps

• Systems thinking over tool-chasing: recognizing patterns that work across platforms

• Why soft skills and communication matter as much as technical chops

• The #1 thing to automate this year: your CI/CD pipeline with security gates

• Build, test, scan, deploy: the repeatable pattern inside every secure pipeline

• LLM risks in regulated environments: hallucinations, data residency, and prompt injection

• Air-gapped AI as a strategy for heavily regulated industries

• Why prompt injection is still an unsolved problem and what that means for DevSecOps

• The DevSecOps Home Lab: buying two machines from a pawn shop and learning by doing

• One mindset shift: “Security is a shared responsibility”

About Damien Burks

Damien Burks is a DevSecOps leader, security engineer, educator, and the founder of the DevSec Blueprint, a free, open-source learning guide that helps people transition into DevSecOps and cloud security development. With a background in software development and experience working in heavily regulated environments, Damien focuses on making security education accessible, practical, and community-driven. His Discord community has grown to over 650 members who actively contribute projects and capstone exercises. Damien also creates content on YouTube covering cloud security, DevSecOps, and the tech career landscape. His philosophy: less tools, more foundations, and always lead with the mindset that security is a shared responsibility.

• Connect with our guest Damien Burks: LinkedIn

• Check out The DevSec Blueprint: https://devsecblueprint.com

Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication.

Try the tutorial free

Most security teams aren’t underprepared because they lack tools, they’re underprepared because they haven’t rehearsed what happens when humans, systems, and pressure collide. Jeff Fields says that the single most important thing teams can do is run tabletop exercises.

Fresh off a 20-year FBI career, Jeff explains why the most damaging incidents aren’t caused by “unknown threats,” but by breakdowns inside the organization, alerts going to the wrong people, missing owners, and teams operating in silos. Tabletop exercises expose those weak points early, forcing engineering, HR, legal, leadership, and comms to operate as one security team. The result is a security posture that assumes human error, limits blast radius, and lets teams ship faster with confidence.

Topics Covered

• Why “there’s no separating the digital from the human” in modern cyber attacks

• Nation-state motivations: how PRC, Russia, North Korea, and others target differently

• The “geopolitical layer cake” and why every builder is in it (whether they like it or not)

• Security as a team sport: breaking silos between engineering, HR, legal, physical security, and leadership

• Why basic information sharing is the cheapest “upgrade” most companies aren’t doing

• The Sony hack lesson: when the alerts won’t stop… and someone turns them off

• “Humans be humans”: designing systems that assume mistakes will happen

• Bake security in from the start vs. bolting it on after launch

• Zero Trust explained in plain English and why it can accelerate innovation

• Why table top exercises/war games separate resilient teams from chaotic ones

• Planning for the least likely, most catastrophic scenario (and why it covers everything else)

• Where to get government resources: fbi.gov, dni.gov, and National Counterintelligence and Security Center (NCSC) support for the private sector
  

About Jeff Fields

Jeff Fields is a newly retired FBI leader, most recently serving as Assistant Special Agent in Charge of the FBI’s Counterintelligence Branch in San Francisco, with 20 years of experience spanning counterintelligence, national security, and the defense industrial base including emerging tech and the innovation ecosystem. Now advising VCs, startups, and universities, Jeff brings a rare operator’s perspective on how real-world adversaries move and how builders can design security that supports speed instead of fighting it.

In addition to being a technical advisor, Jeff is also a Senior Fellow of Practice at the Berkeley Institute for Security and Governance where he serves as a “Hacking for Defense” (H4D) instructor. H4D teaches students how to work with the government to rapidly address the nation’s emerging threats and to solve mission-critical problems at the speed of a startup. In his free time Jeff enjoys hiking with his two Belgian Malinois, volunteering with the non-profit Girl Security, or checking out a live opera or hip-hop show.

Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication.

Try the tutorial free

What does decentralized identity really mean, and why is it becoming essential in a world of AI, deepfakes, and digital fraud?

In this episode, we sit down with Kaliya Young. Kaliya is widely known as the “Identity Woman” and is one of the earliest pioneers of decentralized and self-sovereign identity. With over 20 years in the field, Kaliya breaks down complex concepts like decentralized identifiers (DIDs) and verifiable credentials in practical, real-world terms.

Kaliya explains how decentralized identity reshapes trust, privacy, and security across many different entities, including people, businesses, AI agents, and physical assets. From digital driver’s licenses and business wallets to supply chains and autonomous systems, this conversation offers a grounded look at how identity infrastructure is evolving. It is clear that old paper-based and centralized models are no longer enough for highly regulated industries.

Topics covered

• What decentralized identity actually means

• How decentralized identifiers (DIDs) work

• Verifiable credentials and why they matter

• Trust and privacy in the age of AI and deepfakes

• Business and enterprise use cases like know your customer (KYC) and know your business (KYB)

• Identity for AI agents and autonomous systems

• Digital wallets for people, businesses, and assets

• Revocation, security, and privacy-preserving design

• Where developers and organizations can get involved

About Kaliya Young

Kaliya Young, often called the “Identity Woman,” has been working on decentralized and self-sovereign identity for over 20 years. She works closely with developers, policymakers, and standards bodies to help make digital identity more secure, private, and human-centered.

Kaliya is also the founder and host of the Internet Identity Workshop (IIW), an unconference that brings together identity practitioners from around the world to shape the future of digital identity. Through her writing, workshops, and advisory work, she plays a central role in how decentralized identity, verifiable credentials, and trust frameworks are evolving today.

• Connect with our guest Kaliya Young: https://www.linkedin.com/in/kaliya/

• Join the Identity Woman newsletter:

Sovereign Identity Updates

Each week Identity Woman and Infominer bring the latest news in decentralized identity to your inbox. ❤️ Subscribe Free Here. ❤️

By IdentityWoman

Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication.

Try the tutorial free

Space is where we have the opportunity to invent life-saving drugs, track natural disasters and national security threats, and connect the globe. But as we rely more on these assets, the threats from orbital debris and cyberattacks are mounting.

The problem? You can’t just walk up to a satellite, unplug it, and plug it back in.

Major General Kim Crider (ret.), Founding Partner at Elara Nova, former Chief Technology and Innovation Officer, U.S. Space Force and former Chief Data Officer, U.S. Air Force, joins us to explain why a cyber incident in orbit isn’t just an annoyance, it’s a potential kinetic disaster. She explains why Zero Trust principles must be built into systems, and why the most dangerous “backdoor” to spacecraft often sits right here on Earth.

Key takeaways:

• The stakes are physical. If a cyberattack alters a trajectory, a satellite or spacecraft risks colliding with other critical assets or debris.

• The “front door” is on the ground. While we worry about the asset in orbit, the easiest way to hack a satellite is often through the ground environment. Uplinks and downlinks (the invisible tethers controlling the system) are prime targets for spoofing and interception.

• Zero Trust must launch with the rocket. You cannot easily patch a system once it leaves the atmosphere. Security principles like Zero Trust and rollback capabilities must be designed, tested, and baked in before launch day.

• Digital airlocks. With complex supply chains, you can’t guarantee every component is secure or fail-safe. Systems must be designed to isolate compromised functions so a single failure doesn’t jeopardize the entire mission.

• Know your bill of materials. Whether it’s a satellite or a UAV, supply chain opacity is a major risk. Rigorous verification, provenance tracking, and inspections of software and hardware are essential to keeping bad actors out of mission-critical systems.

• Space is the next laboratory. Beyond surveillance, the vacuum and zero-gravity conditions of space offer a unique environment for manufacturing and scientific breakthroughs, such as inventing new, life-saving pharmaceuticals that aren’t possible to create on Earth.

About Major General Kim Crider (ret.)

Major General Kim Crider is a Founding Partner at Elara Nova, a space consulting firm helping the government and industry navigate the space market. She previously served as the Chief Technology Innovation Officer for the United States Space Force and the Chief Data Officer for the United States Air Force. With 35 years of service, including eight years in active duty, she is a leading authority on data, space, and air defense.

Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication.

Try the tutorial free

What’s inside:

• Five things devs need to know for our agentic future

• Resources: Step-up authentication tutorial, “The AI agent access problem” with author of “Securing AI Agents” Chris Hughes, and OWASP’s GenAI Security Project

Five things to know for our agentic future

“Have your agent call my agent” isn’t just a Hollywood thing anymore. AI agents are increasingly “speaking” on behalf of the end user, but without guardrails and contracts that typically bind the human variety.

AI agents and agentic browsers ingest massive amounts of data and are often given unrestricted access.

The challenge is to maintain enterprise-grade security without breaking the user experience.

Your users don’t know what a “token” is. They don’t care about “private keys.” And frankly, they shouldn’t have to.

Their only goal is to get value out of your application. That means they aren’t thinking about the security implications of the AI agent running in the background.

But as developers, we have to.

Here are a few tips for ensuring the software you build is both secure and usable for our agentic future:

1. Deliver value and security. Don’t make users think about technical concepts like tokens and private and public keys. Your job is to protect the user and their data while letting them focus entirely on the value your product provides. But recognize there are moments where intentional friction is needed. For example, AI agents should be forced to get permission for critical, high-risk actions. This means the user always stays in control.

   • Bonus: If you’re curious about how to ensure users can approve high-risk actions, check out my tutorial: Five steps to secure your app against rogue AI agents: How to implement step-authentication using VIA’s Zero Trust Fabric

2. Abstract the technical complexity. Internally, we constantly ask, “Why does the user need to do this?” or “is this step really necessary?” or “will the user understand this?” to help us strip away the noise and ensure a simple, straightforward user experience.

3. Get comfortable talking about risk. Not all risk is created equal and you’ll just be spinning your wheels if you try to protect everything against everything. Developers must understand the highest risk for their systems. Is it exposing personally identifiable information (PII)? Compromising financial transactions? When creating an application, developers must understand what risks have the highest probability of occurring and focus on reducing the risk around those things.

4. Authenticate like it’s 1999...or 2026. Traditional tokens that give people access are now being delegated to AI agents, which could operate without being seen and technically take over accounts. Once an agentic AI holds a user’s session token, it effectively is the user. A powerful, fast, and potentially reckless user who can also be compromised by threat actors.

5. Stop designing for a single AI agent. Design for a fleet. We are heading toward a world where your users (and you, as developers!) will interact with dozens of specialized agents daily. The old model of centralized access controls won’t scale for that.

How I’ve put these tips into practice

Here’s how we’ve put these tips into practice at VIA. Right now, if a user employs an AI agent, that agent inherits all of the user’s permissions, effectively cloning the user’s session. That is a massive security gap. By making the user akin to a ‘local identity provider,’ we allow them to issue restricted, task-specific credentials to their agents. This fundamental concept informed how we designed VIA’s Zero Trust Fabric (ZTF). It ensures that if an agent is compromised, it only has access to that one specific task, not the user’s entire account.

Interested in testing out how to secure your app (and protect your users) from AI agents? Check out my free tutorial on GitHub.

Developers play a critical role in ensuring AI agents operate as designed, playing to their strengths and leaving the critical decisions to end users.

About Jesus Cardenes

Jesus Cardenes, VIA’s Senior Vice President, Product Architecture, is responsible for the technical roadmap and architectural design of all VIA products and its Web3 platform. He is known for his expertise in connecting technologies and platforms to create seamless user experiences. An interesting fact about Jesus is that he loves to cycle during the weekends with his kids!

Resources

You have pressing questions…we have answers. So you can build faster and get back to shipping. Check out the resources below.

Tutorial: Five steps to secure your app against rogue AI agents: How to implement step-authentication using VIA’s Zero Trust Fabric

Learn how to secure your app from your users’ rogue AI agents using VIA’s Zero Trust Fabric (ZTF) and step-up authentication. In this case, step-up authentication means the user has to re-authenticate to authorize high-risk actions.

“The AI agent access problem” with Chris Hughes.

Chris Hughes, CEO of Aquia, Resilient Cyber podcast host, author of Securing AI Agents, and United States Air Force veteran, dives into why identity and access are brutally hard in an agentic AI world. He also explains how incentives, compliance, and culture shape what actually gets secured.

OWASP’s GenAI Security Project

Trying to wrap your head around the security risks for LLMs, generative AI, AI agents, and MCP servers? OWASP’s GenAI Security project is one of our go-to resources.

OWASP’s LLM Top 10 for 2025

Forget the theoretical stuff. This lists the most dangerous risks, from prompt injection to the many flavors of unbounded consumption, and actually tells you what to do about them.

Learn how to secure your app from your users’ rogue AI agents in our latest tutorial.

Get started on GitHub

AI agents aren’t magic coworkers. They’re powerful, error-prone systems that can be hijacked, over-permissioned, and “social-engineered” just like humans. Chris Hughes, CEO of Aquia, Resilient Cyber podcast host, author of Securing AI Agents, and United States Air Force veteran, dives into why identity and access are brutally hard in an agentic AI world. He also explains how incentives, compliance, and culture shape what actually gets secured.

AI agents: the fundamentals matter, but don’t miss the nuance

• AI agents are risky “users” too. Agents make bizarre mistakes humans wouldn’t. And they can be taken over by threat actors. That means they need an identity, permissions, and access controls, not an all-access backstage pass.

• Identity and access management (IAM) is hard.... and SaaS often makes it harder. Most orgs over-provision access, never clean it up, and struggle to keep permissions current. SaaS tools frequently miss the business context needed to do access right. Chris cautions that those IAM tools themselves become part of the attack surface.

• The fundamentals still matter (a lot). Least privilege, micro-segmentation, and off-boarding are still important, even for agents. The goal? Minimize the damage agents can do and take away those permissions when they’re no longer needed.

• Developers should be aware of the many flavors of context manipulation. Context manipulation is where malicious instructions entice the AI agent to perform actions or disclose information it shouldn’t. Bookmark the OWASP GenAI Security Project, which continually updates these risks.

• Zero Trust applies to agents, but incentives fight it. Zero Trust principles map cleanly onto agentic AI use cases, but business leaders are focused on speed, revenue, and market expansion, rather than abstract security models. They start caring when Zero Trust and agent security are framed as compliance, regulatory, or market-entry requirements. Compliance is still a primary driver of cybersecurity headcount and tooling. Use that lever.

• Agentic AI doesn’t change the need for good access control and security fundamentals, it just raises the stakes. As Chris says, “you can’t secure what you don’t understand,” so start by truly understanding how your agents act and what they have access to. If you’re in DevSecOps or application security, think about how you can make life easier for your dev team: “make doing the right thing the easy thing.”

About Chris Hughes

Chris Hughes is a United States Air Force veteran and the CEO and co-founder of Aquia, where he helps secure state and federal agencies as well as the Department of Defense. He is the host of the Resilient Cyber podcast and a recognized expert in application security, software supply chain security, vulnerability management, and DevSecOps. Chris previously served as a Cyber Innovation Fellow (CIF) at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Check out Chris’s three books:

• Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem

• Securing AI Agents: Foundations, Frameworks, and Real-World Deployment

• Software Transparency: Supply Chain Security in an Era of a Software-Driven Society

Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication.

Try the tutorial free

Imagine your team builds accounting software. One of your customers uses an AI agent to automate invoice verification and payment scheduling. Everything runs smoothly until the agent is hijacked. A single rogue instruction swaps out the bank details of their top five vendors with a fraudster’s account. Within minutes, your app dutifully executes five million dollars in fraudulent payments.

Now multiply that across hundreds of customers. You didn’t build the agent, but your system just became the weapon.

As the engineer designing this software, how do you stop an authorized, but compromised, agent from committing massive, irreversible fraud? The answer lies in securing high-risk actions.

As AI agents and agentic browsers become standard, the security challenge shifts. It’s no longer enough to protect logins and tokens. You have to verify the intent behind every sensitive action. The goal: maintain a seamless, passwordless experience for your users, while ensuring that every critical transaction has non-repudiable (meaning you can prove who did what), explicit authorization.

Pro tip: Treat an AI agent like an insider threat. Once an agentic AI holds a user’s session token, it effectively is the user: powerful, fast, and potentially reckless. Think of it like leaving a five-year-old alone: they might make some sensible decisions, but you must code with the very real possibility that they will burn the house down (i.e., drain an account or delete a database).

What you’re about to build

In this tutorial, I will show you how to secure your app from your users’ rogue AI agents using VIA’s Zero Trust Fabric (ZTF) and step-up authentication. In this case, step-up authentication means the user has to re-authenticate to authorize high-risk actions.

You’ll build a React application that leverages WalletConnect v2.0 and Keycloak to establish:

1. Passwordless initial authentication: The user logs in via a simple wallet scan, establishing a decentralized session.

2. Cryptographic step-up: For sensitive actions, like making a payment or transferring a file, we’ll force the agent to request a unique, asymmetric cryptographic signature from the end-user’s wallet.

This new workflow ensures that even if an agent has access to the application, the ultimate authority for critical actions remains with the human user, mathematically verified by a signature that is impossible to fake or reuse. You’ll move beyond passwords and static keys to secure the actions themselves.

The complete flow in action

1. User logs in → Keycloak handles passwordless authentication

2. System recovers session → WalletConnect info extracted from user endpoint

3. Wallet reconnects → Cryptographic session automatically restored

4. User performs action → System detects need for step-up authentication

5. Cryptographic proof → personal_sign provides mathematical verification

6. Action authorized → No passwords, no SMS codes, no friction

Prerequisites (don’t skip this)

This implementation guide focuses specifically on the ZTF step-up logic. It assumes the basic environment is already configured.

Before we start, make sure you have:

• Node.js (v18+) and npm/yarn

• React framework

• WalletConnect SDK

• Keycloak SDK

• Docker

• Tutorial 1: Passwordless (not required, but a great intro reference!)

This is the actual production code. No theoretical examples. This is what can run in real applications.

If you’d prefer to jump right in, get started by downloading the complete codebase: GitHub Repository.

Step 1: Passwordless authentication via Keycloak

To start, let’s make sure our users can securely (but easily) authenticate through Keycloak without using passwords. We will be using the ZTF plugin for Keycloak to authenticate/authorize with the VIA wallet:

// App.tsx - Keycloak initialization
const keycloak = new Keycloak({
  url: “https://auth.solvewithvia.com/auth”,
  realm: “ztf_demo”,
  clientId: “localhost-app”,
});

useEffect(() => {
  keycloak.init({
    onLoad: “login-required”,
    redirectUri: window.location.origin + “/”,
    checkLoginIframe: false,
    responseMode: “query”,
    pkceMethod: “S256”,
    scope: “openid profile email”
  })
  .then(auth => {
    if (keycloak.authenticated) {
      setAuthenticated(true);
      // Load app config after authentication
      loadAppConfig(keycloak);
    }
  });
}, []);

Step 2: User session information recovery with WalletConnect session data

In traditional web2 apps, a user would have to authenticate and then pick their crypto wallet of choice if the application wanted the user to interact with web3 systems. Not a great user experience.

This is where ZTF is different. The user’s cryptographic session information is recovered from the authentication endpoint. Thanks to VIA Wallet, users can passwordlessly authenticate and create a communication channel with the wallet to allow for blockchain interactivity. ZTF creates a walletconnect session and transfers that session to the application via Keycloak.

// ConfigService.tsx - Extract WalletConnect session from user info
const loadAppConfig = async (keycloak: any) => {
  try {
    const realm = ‘ztf_demo’;
    const userInfoUrl = `https://auth.solvewithvia.com/auth/realms/${realm}/protocol/openid-connect/userinfo`;

    const response = await fetch(userInfoUrl, {
      method: ‘GET’,
      headers: {
        ‘Authorization’: `Bearer ${keycloak.token}`,
        ‘Content-Type’: ‘application/json’
      }
    });

    const userInfoData = await response.json();

    // Extract and decode walletConnectSessionInfo
    let decodedWalletConnectInfo = null;
    if (userInfoData.walletConnectSessionInfo) {
      const decodedString = atob(userInfoData.walletConnectSessionInfo);
      decodedWalletConnectInfo = JSON.parse(decodedString);
    }

    setWalletConnectInfo(decodedWalletConnectInfo);
  } catch (err) {
    console.error(’Error loading app config:’, err);
  }
};

Step 3: WalletConnect session recovery and initialization

The recovered session data automatically reconnects the user’s cryptographic wallet. By recovering the WalletConnect session from ZTF, the user is able to directly interact with web3 blockchains without needing to reconnect their wallet. This greatly simplifies the user experience.

// App.tsx - Initialize WalletConnect with recovered session
useEffect(() => {
  if (isInitialized && walletConnectInfo && authenticated && !sessionInitialized) {
    initializeWithSessionInfo(walletConnectInfo);
    setSessionInitialized(true);
  }
}, [isInitialized, walletConnectInfo, authenticated, sessionInitialized]);

// WalletConnectProvider.tsx - Session restoration
const initializeWithSessionInfo = async (sessionInfo: any) => {
  try {
    // Store recovered session data
    if (sessionInfo) {
      await storageService.storeWcInfo(sessionInfo);
    }

    // Initialize WalletConnect client
    const signClient = await initWalletConnect(storageService);

    // Check for existing sessions and restore connection
    const sessions = signClient.session.getAll();
    if (sessions.length > 0) {
      const activeSession = sessions[0];
      setSession(activeSession);
    }
  } catch (error) {
    console.error(’Failed to initialize WalletConnect:’, error);
  }
};

Step 4: The step-up authentication magic: personal_sign

For sensitive actions, the system requires cryptographic proof from the user via a personal_sign signature using WalletConnect v2.0.

In a world of agent-driven browsers, this process is a crucial security feature. It ensures that for all critical actions (such as transferring funds or submitting a large purchase order) the agent is forced to pause and request the cryptographic proof directly from the human user’s wallet.

No explicit approval, no action taken.

// TransactionService.tsx - Step-up authentication with personal_sign
const signMessage = async (message: string): Promise<string | null> => {
  if (!client || !session) {
    console.error(’WalletConnect not connected’);
    return null;
  }

  try {
    setIsLoading(true);

    // Zero Trust validation - verify active session
    const activeSessions = client.session.getAll();
    const hasActiveSession = activeSessions.some(s => s.topic === session.topic);

    if (!hasActiveSession) {
      throw new Error(’Session not found in active sessions. Please connect your wallet again.’);
    }

    // Extract account from viasecurechain namespace
    const accounts = session.namespaces.viasecurechain?.accounts || [];
    const fullAccount = accounts[0]; // e.g., “viasecurechain:mainnet:0xbA447B1...”
    const fromAccount = fullAccount.split(’:’)[2]; // Extract address
    const chainId = fullAccount.split(’:’).slice(0, 2).join(’:’);

    // Request cryptographic signature for step-up authentication
    const params = [
      ethers.utils.hexlify(ethers.utils.toUtf8Bytes(message)),
      fromAccount
    ];

    const signature = await client.request({
      topic: session.topic,
      chainId: chainId,
      request: {
        method: ‘personal_sign’,
        params: params
      }
    });

    setLastSignature(signature as string);
    return signature as string;

  } catch (error) {
    console.error(’Message signing failed:’, error);
    throw error;
  } finally {
    setIsLoading(false);
  }
};

Step 5: User interface for step-up authentication

Now for the final step! The user sees a simple, intuitive interface for authorizing high-risk or sensitive actions:

// TransactionDemo.tsx - Complete UI for step-up authentication
const TransactionDemo: React.FC = () => {
  const { signMessage, isLoading, lastSignature } = useTransaction();
  const { isConnected } = useWalletConnect();
  const [message, setMessage] = useState(’Hello from ZTF Demo App!’);
  const [error, setError] = useState<string | null>(null);

  const handleSignMessage = async () => {
    if (!isConnected) {
      setError(’Please connect your wallet first’);
      return;
    }

    try {
      setError(null);
      await signMessage(message);
    } catch (err) {
      console.error(’Message signing failed:’, err);
      setError(err instanceof Error ? err.message : ‘Message signing failed’);
    }
  };

  if (!isConnected) {
    return (
      <div style={{
        padding: ‘20px’,
        border: ‘1px solid #ddd’,
        borderRadius: ‘8px’,
        backgroundColor: ‘#f9f9f9’,
        marginTop: ‘20px’
      }}>
        <h3>🔒 Message Signing Demo</h3>
        <p>Please connect your wallet to test message signing.</p>
      </div>
    );
  }

  return (
    <div style={{
      padding: ‘20px’,
      border: ‘1px solid #ddd’,
      borderRadius: ‘8px’,
      backgroundColor: ‘#f9f9f9’,
      marginTop: ‘20px’
    }}>
      <h3>✍️ Message Signing Demo</h3>
      <p>Sign messages with your connected wallet (no transactions involved)</p>

      <div style={{ marginBottom: ‘15px’ }}>
        <label style={{ display: ‘block’, marginBottom: ‘5px’, fontWeight: ‘bold’ }}>
          Message to Sign:
        </label>
        <textarea
          value={message}
          onChange={(e) => setMessage(e.target.value)}
          style={{
            width: ‘100%’,
            padding: ‘8px’,
            border: ‘1px solid #ccc’,
            borderRadius: ‘4px’,
            minHeight: ‘60px’,
            resize: ‘vertical’
          }}
          placeholder=”Enter your message here...”
        />
      </div>

      <div style={{ marginBottom: ‘15px’ }}>
        <button
          onClick={handleSignMessage}
          disabled={isLoading || !message}
          style={{
            backgroundColor: isLoading ? ‘#ccc’ : ‘#2196F3’,
            color: ‘white’,
            border: ‘none’,
            padding: ‘10px 20px’,
            borderRadius: ‘4px’,
            cursor: isLoading ? ‘not-allowed’ : ‘pointer’,
            fontSize: ‘16px’,
            width: ‘200px’
          }}
        >
          {isLoading ? ‘Signing...’ : ‘Sign Message’}
        </button>
      </div>

      {error && (
        <div style={{
          marginBottom: ‘15px’,
          padding: ‘10px’,
          backgroundColor: ‘#ffebee’,
          border: ‘1px solid #f44336’,
          borderRadius: ‘4px’,
          color: ‘#c62828’
        }}>
          <strong>Error:</strong> {error}
        </div>
      )}

      {lastSignature && (
        <div style={{
          marginTop: ‘15px’,
          padding: ‘10px’,
          backgroundColor: ‘#e8f5e8’,
          border: ‘1px solid #4caf50’,
          borderRadius: ‘4px’,
          color: ‘#2e7d32’
        }}>
          <strong>✅ Message Signed!</strong>
          <div style={{
            marginTop: ‘8px’,
            wordBreak: ‘break-all’,
            fontFamily: ‘monospace’,
            fontSize: ‘12px’,
            backgroundColor: ‘white’,
            padding: ‘8px’,
            borderRadius: ‘4px’
          }}>
            {lastSignature}
          </div>
        </div>
      )}
    </div>
  );
};

Authentication resources

NIST Cybersecurity Framework 2.0 explicitly recommends cryptographic authentication as the gold standard, meeting AAL3 requirements.

OWASP Top 10 2025 lists “Broken Access Control” as the #1 web application security risk and “Authentication failures” as risk #7. Your ZTF implementation will give you the tools to mitigate these risks.

Get started now: The complete checklist

Download the complete codebase: GitHub Repository

Read the complete documentation: ZTF Documentation

Technical requirements: WalletConnect SDK, Keycloak

About the Author:

Jesus Cardenes, VIA’s Senior Vice President, Product Architecture, is responsible for the technical roadmap and architectural design of all VIA products and its Web3 platform. He is known for his expertise in connecting technologies and platforms to create seamless user experiences. An interesting fact about Jesus is that he loves to cycle during the weekends with his kids!

Ready to get started? The tutorial on GitHub has everything you need to implement step-up authentication in minutes.

Get started on GitHub

George Finney, CISO at The University of Texas System and author of Project Zero Trust, asserts Zero Trust isn’t just a strategy, it’s the “only strategy when it comes to cybersecurity.”

Like all good researchers, we went straight to Reddit to see what people were really saying about Zero Trust. Turns out, a lot of teams were over it. They were tired of gatekeepers who slowed everyone down. Sure, plenty of Redditors could riff on principles like least privilege, but most were focused on what they already knew, not the bigger picture that makes Zero Trust not only work, but actually work seamlessly for teams shipping code under tight deadlines.

What Zero Trust is (and isn’t)

George sets the record straight on Zero Trust, tackling the most common misconceptions.

1. Zero Trust isn’t about not trusting people. Collaboration still matters. John Kindervaag, the creator of Zero Trust, describes it as “a strategy for preventing or containing breaches by removing the trust relationships we have in digital systems.” Listen to John Kindervaag break down Zero Trust principles in 60 seconds.

2. It’s not a product you can buy. There’s no one-size-fits-all architecture. Zero Trust is a strategy, not a tool. If a vendor tells you they “do Zero Trust,” the real question is: how will they integrate, secure data, and prove they’re trustworthy?

3. Least privilege is the how, Zero Trust is the what. Least privilege, separation of duties, and role-based access control are just building blocks. Zero Trust is the strategy that defines the desired end state.

4. The four Zero Trust design principles outlined in Project Zero Trust are simple, but powerful.

   1. “Define business outcomes.

   2. Design from the inside out. Start with data.

   3. Determine who or what needs access.

   4. Inspect and log all traffic.”

5. You may already be asking “What can go wrong?” But what must go right? Security teams often use threat modeling to anticipate failures. Zero Trust requires teams to model the critical business success path: the systems, access, and safeguards that have to stay intact no matter what.

6. Yes, Zero Trust can feel painful. But that’s a design problem, not a strategy problem. If Zero Trust makes one team the bottleneck for every permission request, the issue isn’t Zero Trust, it’s poor automation and governance. Good Zero Trust reduces friction.

7. Zero Trust and AI are inseparable. George uses a restaurant analogy: you have ingredients (data), recipes (models), system components (kitchen equipment), and end users (diners). You need to protect the ingredients, recipes, and different parts of the system. And diners should probably be kept out of the kitchen. If you think about AI this way, George says, it can help your focus on “securing trust relationships where different systems interact.”

About George Finney

George Finney is the Chief Information Security Officer at the University of Texas System, Co-Chair of the CSO Strategic Advisory AI Safety Committee at the Cloud Security Alliance, and Founder of Well Aware Security. He is the author of multiple books, including:

• Project Zero Trust: A Story About a Strategy for Aligning Security and the Business (Cybersecurity Canon Hall of Fame winner)

• Rise of the Machines: A Project Zero Trust Story

• Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future

• No More Magic Wands

George’s books skip the jargon and focus on stories. You might just find yourself rethinking Zero Trust and how it can help your team ship faster while keeping your organization and customers safe.

Security AND ship faster? Yes, please. We built the easy button for military-grade authentication.

Try it free

“You can’t measure that” is just business-speak for “we’re guessing and hoping nobody notices.”

Doug Hubbard notices. And then he brings math. The kind that turns million-dollar guesswork into real decisions, and lets software teams prove they delivered value, not just code.

And security? Also measurable. Start with defining what security means for your product (most teams miss this step!). Then get resourceful on where you get the data you need to reduce uncertainty.

• Measurement is about reducing uncertainty. One tiny drop in uncertainty can change a million-dollar decision.

• Developers love measuring speed… but speed by itself is often the least important thing. Ask questions like:

  • Did it create value?

  • Did it cost us more in fixes than it saved in speed?

  • Should we repeat, adjust, or stop investing in this feature?

• If someone says “that’s impossible to measure,” spoiler: it’s 100% measurable. Doug says, “you already have more data than you think, and you need way less data than you assume.”

• Spend more time planning for how you will leverage AI. Doug advises, “Spend more time thinking about where AI is going and options for ways you can use it.” In fact, one of the best ways you can use AI is to brainstorm and model thousands of alternative solutions.

• Security isn’t a vibe. It’s measurable. Breach databases, vulnerability scores, and near-miss data are just a few examples of hard evidence hiding in plain sight. Doug recommends starting out with Cyentia Institute’s Information Risk Insights Study (IRIS) and Verizon’s Data Breach Investigations report.

• Simple math beats expert intuition again and again. Basic statistical models often outperform seasoned pros when choosing what to build or what to fix.

• The first step for any developer: ask “What decision will this metric change?” If the metric doesn’t change a decision, it’s just noise.

About Doug Hubbard

Doug Hubbard grew up in a small rural town, became a Captain in the Army National Guard, and went on to build a career solving one of the hardest problems in business: measuring the things everyone else says can’t be measured. He’s the inventor of Applied Information Economics, founder of Hubbard Decision Research, and the guy companies call when they need to reduce uncertainty in the most uncertain environments. Doug literally makes the immeasurable… measurable.

Doug is the author of:

• How to Measure Anything in Project Management

• How to Measure Anything: Finding the Value of Intangibles in Business

• The Failure of Risk Management: Why It’s Broken and How to Fix It

• How to Measure Anything in Cybersecurity Risk

• Pulse: The New Science of Harnessing Internet Buzz to Track Threats and Opportunities

Dread authentication setup? Not anymore. Authentication in 5 Minutes. (No seriously, we timed it.)

Try it free

Vibe-coding in Cursor is great…but what about secure authentication?

In this tutorial, we’ll show you how VIA’s Zero Trust Fabric, Supabase, Keycloak, and agentic coding in Cursor can build secure, passwordless login in minutes.

You’ll see how AI-driven development can plan, build, and test a secure app without sacrificing control or compliance.

Users scan a QR code, log in, and they are instantly authenticated. No passwords. No trade-offs.

And you? You can get back to building.

Watched the video? Now try it yourself for free. The tutorial on GitHub has everything you need to ship passwordless auth in minutes.

Try it for free

Think Apple and Google are doing deep security reviews of your app? Think again.

While the App Store and Google Play scan for known malware, they completely miss big security gaps like API misconfigurations and vulnerabilities in third-party tools. Mobile app security expert Andrew Hoog breaks down the top “gotcha” moments for mobile developers and the quick, actionable steps your team can take to secure your apps and protect your users.

Top three mobile security fails

1. Skipping security reviews. Most teams either skip security reviews or use tools built for web apps. But web app scanners miss a whole range of mobile-specific vulnerabilities.

2. Using sketchy third-party SDKs. Andrew estimates 60–70% of vulnerabilities come from free, well-documented SDKs, which are “like catnip” for developers. These can send unencrypted data, use weak keys, or leak user data to foreign entities.

3. Ignoring AI risks. You, or the SDKs you rely on, might be using personally identifiable information (PII) in ways that break privacy laws, violate contracts, or erode user trust.

What you can do today

1. Get the right tools. Use security tools built for mobile apps. Andrew recommends:

   • Radare (open-source reverse engineering toolkit, binary and static analysis)

   • Frida (open-source dynamic instrumentation toolkit)

   • Both have great documentation to get you started.

2. Involve your team and stakeholders. Try NowSecure’s Mobile Application Risk Checker. It reports on sensitive data, privacy declarations, and network connections. Your app might already be listed! Start including mobile app security and privacy risks in your threat intel program.

3. Leverage free learning resources. Explore OWASP Mobile Application Security, NowSecure Academy, or tools like Claude for contextual security insights.

About Andrew Hoog

Andrew Hoog is a developer’s go-to security person. He’s been in the trenches of mobile security and forensics for over a decade, building, breaking, and securing apps long before it was cool.

He co-founded NowSecure, wrote two books on mobile forensics and security, and holds three patents in the field. When he’s not deep in code or court (he’s also an expert witness in U.S. Federal Courts), he’s helping shape the future of mobile app security at NowSecure.

Andrew’s mission? Help developers build apps that are not just awesome but are secure by design.

See how VIA’s Zero Trust Fabric delivers military-grade authentication.

Try it free

What’s inside:

• “A long and winding road to ATO made easy”

• Resources: Iron Bank (secure container image repository) documentation, National Vulnerability Database (NVD)

• Take note: Governance, risk, and compliance (GRC) engineering explained, Cybersecurity Risk Management Construct to replace Risk Management Framework, and don’t miss an interview with Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS) and pioneer of DevSecOps platform Operation Stormbreaker

A long and winding road to ATO made easy

You’ve built a prototype. It’s brilliant. It could transform national security missions.

But there’s one roadblock standing in the way. Three big letters: ATO.

As Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS), explains: ATO, Authorization to Operate, means “getting a system authorized to run in production in the government.”

It’s designed to manage risk, enforce strict security standards, and ultimately requires a designated authorizing officer (AO) to sign off before anything goes live.

Dave Raley, pioneer of Operation Stormbreaker, shares how the DevSecOps platform accelerates missions and gets software to market faster in “A Tale of Two ATOs” on the VIA Knowledge Hub podcast.

The ATO process can seem like a black hole. It can drain years and millions, with processes buried in paperwork, static snapshots, and frustration.

Use a DevSecOps platform that already has an ATO

We caught up with two seasoned VIAneers, Ashley DaSilva, Vice President, Applications, and Jesus Cardenes, Senior Vice President, Product Architecture, who offered the ultimate pro-tip:

Use a DevSecOps platform built for ATO.

• The platform already has its own ATO that covers many of the infrastructure security requirements your application would have to address, anyway.

• Your applications inherit the platform’s approval when they run on it.

• Security reviews happen through the platform.

• The platform acts as a liaison between your team and the AO.

• While you still need to continuously address application security, your application can run on the DevSecOps platform indefinitely.

The result: faster approvals, less frustration, and more time to focus on building your products.

Make the most of the DevSecOps platform

Here are Ashley and Jesus’s tips for managing stakeholder expectations and making the most of your experience with the DevSecOps platforms you use:

1. Manage release timeline expectations. The ATO process stretches timelines for big releases (architecture changes, new external data connections, etc.). Instead of two- or three-week sprints like in commercial software, expect closer to ten weeks before deployment.

2. Shift left. Think security-first, from the first step to the last. Establish a process to continuously scan for and address common vulnerabilities and exposures (CVEs) as part of every sprint so changes don’t introduce nasty surprises. “We can plan for CVEs as a part of every sprint,” says Ashley, “and determine if making a change introduces something unexpected.” Added bonus: this prep can turbocharge the ATO process.

3. Stay agile with intentional architecture design. Major architecture changes take longer to clear the ATO process. Build a solid foundation upfront, so smaller features and security pushes can glide through the process much faster. With continuous scanning already in place, you’ll speed up the ATO process dramatically.

4. Stay lean. Containerize your solution and build on top of secure and lean base images. Start by using hardened base images with minimal vulnerabilities. Choose third-party software carefully, as you inherit their vulnerabilities. Check out “A dev’s guide to hacking DoD compliance” for five more helpful tips.

5. Where possible, design stateless software. Not storing any prior interaction data, or “state,” between requests makes software scalable, resilient, and more secure.

With security built in from the start, lean practices, and DevSecOps platforms tailored for ATO, teams can move from paperwork purgatory to rapid, secure deployment.

Need to know

You have pressing compliance questions…we have answers. So you can build faster and get back to shipping. Check out the resources below.

Iron Bank documentation

Even if you don’t use Iron Bank (the secure container image repository part of the U.S. Air Force’s Platform One DevSecOps ecosystem) it’s still worth exploring the documentation. It’s a great window into how defense and other high-assurance environments think about container hardening and supply chain security. Start with the FAQ to get the big picture, then dive into “Getting Started.”

National Vulnerability Database (NVD)

Most vulnerability scanners point you here for the details, and for good reason. Maintained by the National Institute of Standards and Technology (NIST), the NVD is the go-to hub for tracking and understanding known CVEs. Keep it bookmarked; you’ll visit it more than you think.

Take note

With all the information swirling around, it’s hard to know where to focus. Don’t worry, we’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.

Worth your time

What is GRC Engineering?

Watch this short video to see why GRC engineering is definitely not just about paperwork. Instead, governance, risk, and compliance engineering ensures a system’s security is continuously monitored, measured, and improved.

This just happened

Cybersecurity Risk Management Construct

The Department of War announced the new Cybersecurity Risk Management Construct (CSRMC) will replace the previous Risk Management Framework (RMF). The CSRMC emphasizes continuous monitoring, as opposed to point-in-time snapshots. It champions DevSecOps, with automation baked in. CSRMC runs across 5 phases: Design, Build, Test, Onboard, and Operations.

Don’t miss this

What if it took just fifteen minutes to get your system authorized (ATO) to run in production in the government? For Dave Raley, that’s not just a dream. He’s making it a reality.

In our latest podcast episode, Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS), reveals how Operation StormBreaker is transforming the government’s ATO process.

See how VIA’s Zero Trust Fabric delivers military-grade authentication.

Try it free

Getting an Authorization to Operate (ATO) can be a slow and expensive hurdle for developers trying to deploy software for the government. In this episode, Dave Raley, Digital Program Manager at Marine Corps Community Services (MCCS), explains how he’s revolutionizing this process with Operation StormBreaker. Instead of a months-long process, StormBreaker provides a pre-authorized DevSecOps platform that allows mission owners and contractors to deploy their code into production in as little as 15 minutes.

By shifting from a traditional “checklist” mindset to one of continuous risk assessment, StormBreaker focuses on the ultimate goal: securely and resiliently delivering mission-critical capabilities.

Key Takeaways

• Stormbreaker is an alternative to an old checklist model. The traditional Risk Management Framework (RMF) acts like a static checklist. StormBreaker takes a more modern approach, one underscored in the recently-released Cybersecurity Risk Management Construct, and uses advanced tooling to continuously monitor the software’s actual risk posture at any given moment.

• Focus on outcomes. The most important question isn’t “Did we complete the checklist?” but rather, “Did we get a secure and resilient workload into production?” Understand the pain point before trying to build a solution.

• Contractors can’t get an ATO alone. A commercial company is always dependent on its government partner to secure an ATO.

• Ask early, ask often. Software teams should ask their mission owners right away, “What’s the plan to get this into production?” That exposes roadblocks before time and money disappear.

About Dave Raley

Ever wonder how some leaders just get it when it comes to modernizing big organizations? Then you need to meet Dave Raley, who has been with the Marine Corps as a civilian since 2010. Dave is the Digital Program Manager at Marine Corps Community Services (MCCS) and he totally transformed how Marines and their families get services.

But here’s the best part: he didn’t just manage change, he ignited it. Dave actually founded MCCS’s innovation capability and launched their whole customer experience (CX) strategy.

He pioneered something called Operation StormBreaker. Why? To cut down on software development headaches, save money, and get critical missions done faster. And get this: StormBreaker is gaining traction beyond MCCS, making secure cloud deployments scalable for services across national security.

Like this podcast episode? We’d love if you shared it!

Building software for the DoD shouldn’t be a constant battle with access. We know, because we’ve been there. We built VIA’s Zero Trust Fabric to fix all that.

Try it for free

What’s inside:

• Party like it’s Y2Q, then do these five things

• Resources: NIST Post Quantum Cryptology Standards, the Biden administration’s memo on quantum to establish US superiority and ensure security, and a handy post-quantum cryptography roadmap

• Take note: IBM Fellow Jerry Chow makes quantum make sense, an exclusive interview with Dave Raley, who will help you get your prototype to market faster

Party like it’s Y2Q, but first do these five things

Countdowns usually end with fireworks, champagne, or at least a deployment that doesn’t break prod. But the Cloud Security Alliance’s (CSA) “Countdown to Y2Q” aka “the countdown to quantum destruction” isn’t exactly party vibes. Their forecast? By 2030, quantum computers will rip through today’s encryption and all we’ll end up with is a broken padlock emoji 🔓(which, let’s be real, doesn’t even look that broken).

Why you should care: encryption is going, going, gone

Why should you care? Algorithms we’ve leaned on for decades (RSA, ECC, etc.) go from “mathematically solid” to “sand castle at high tide” once quantum shows up. We’re talking minutes to crack, not months or years.

Where does that leave your organization? With two missing features:

• No confidentiality: everything you thought was private is now basically a public repository.

• No integrity: you can’t trust that a website, email, machine, or file is what it claims to be or that it hasn’t been mangled in transit.

And sure, that CSA clock says we’ve got a few years left to procrastinate. But here’s the kicker: the problem isn’t just “future you.” It’s happening right now.

Ever heard of harvest now, decrypt later? Bad actors are hoarding your encrypted data like the junior devs stuffing their hoodies with office snacks, waiting for the quantum commute to dig in. At your company’s expense. 🍪

FYI: The Quantum Computing Cybersecurity Preparedness Act (QCCSP) tasks the U.S. Office of Management and Budget with prioritizing moving federal IT systems to quantum-resistant cryptography. And the National Security Agency (NSA) has directed the Defense Information Systems Agency (DISA) to make sure that post-quantum cryptography rolls out in national security IT systems by 2035.

Here are a few terms worth noting:

Quantum computing

Think of quantum computing like an octopus: the “brain” has a sense of the problem, while the tentacles work through different answers all at the same time. Parallel brute-force, but squishier and cuter. (Also, if you’ve read Adrian Tchaikovsky’s Children of Ruin, you already know octopi are smarter than us and are just one pandemic away from running the planet.)

Qubit

Sounds like a sugary cereal or off-brand Lego set, but it’s the basic unit of quantum computing. Classical bits are 0 or 1. Qubits can be 0, 1, or a little bit of 0 and 1 at the same time (also known as superposition). Let the fun begin!

Post-Quantum Cryptography (PQC)

The set of new algorithms NIST is rolling out to replace the soon-to-be-broken classics (RSA, ECC, etc.). You’ll see terms like quantum-safe, quantum-secure, quantum-resistant, which all essentially mean the same thing. But note that quantum cryptography actually refers to something different, cryptography made possible by quantum mechanics.

Crypto-agility (or algorithm agility)

Think of it like swapping your phone case: the old cracked one comes off, a shiny new one goes on, and your trusty phone keeps working just fine. Crypto-agility is crucial for post-quantum cryptography. It allows today’s algorithms to be swapped with tomorrow’s quantum-resistant ones without a big overhaul.

And now, what you’ve all been waiting for, a to-do list!

Five things developers can do today

1. Create an inventory of all classical cryptography methods. Don’t forget about third-party vendors. Roll up your sleeves and roll out that spreadsheet.

2. Bookmark standards and track PQC release schedules. VIA’s development team recommends checking out NIST IR 8547 and OpenSSL.

3. Start experimenting with post-quantum cryptography libraries now. They’re still under development, so they are still evolving. But you should prepare yourself for larger keys and signatures (not to mention other unknowns), which will impact storage, bandwidth, and processing time.

4. Remember crypto-agility from your vocab lesson earlier? Bake crypto-agility into your engineering and appsec processes. Get leadership on board because you’ll need their support.

5. Plan for hybrid: both classical and post-quantum algorithms side-by-side. VIA referenced Commercial National Security Algorithm (CNSA) Suite 2.0 guidelines and identified applications of each algorithm within VIA’s applications. Since PQC security libraries are not widely adopted or battle-tested (yet), VIA uses a hybrid approach. In other words, VIA integrates PQC with today’s classical algorithms.

Have questions about PQC security libraries? VIA engineers have been there, done that. Drop your questions in the comments or reply to this newsletter.

Need to know

1. NIST Post Quantum Cryptology Standards

   Quantum is nothing new to the National Institute of Standards and Technology (NIST). The agency has already published a handful of PQC standards and reference guides.

2. National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems

   The Biden Administration jump-started the federal government’s earnest attempt to safeguard the U.S. in a post-quantum cryptographic world, signing the Quantum Cybersecurity Preparedness Act in late 2021, then quickly issued National Security Memo (NSM) 10 to “identify key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.” The memorandum laid out specific actions that agencies must follow in what the administration said would be a “multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography.”

3. Post-quantum cryptography migration roadmap

   A high-level, easy-to-share survival guide for swapping out today’s breakable algorithms with quantum-safe algorithms, without breaking your systems. Four steps: prep, inventory, plan/execute, and keep watching, because quantum will be keeping you on your toes.

Take note

With all the information swirling around, it’s hard to know where to focus. Don’t worry. We’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.

Worth your time

IBM’s Quantum Director Talks AI, Breaking Crypto, Basics of Quantum (Video)

Matthew Berman sits down with IBM Fellow Jerry Chow, who somehow makes quantum computing make sense. Chow breaks down how quantum can shred today’s encryption, how quantum-safe protocols keep us secure, and where AI and quantum might take us next.

This just happened

“Mitigating Cybersecurity Threats and Preparing for a Quantum-Driven Landscape”from CAPTECHU

Why should post-quantum cryptography steal all the spotlight? PQC is basically Luke Skywalker staring down the quantum Death Star, but even Luke needs backup. Like everything in security, it’s about layers: you lock the blast doors, place a team of Chewbacca’s in the hallway, and get a few blaster rifles. This article outlines why defense in depth is critical, and how decentralization is a key part of the rebel alliance.

Don’t miss this

Meet Dave Raley, the mind behind Operation Stormbreaker and Digital Program Manager at Marine Corps Community Services (MCCS).

If you’ve ever wondered how to take a software prototype from idea to market faster, Dave’s the one you want in your corner. 🚀

Stay tuned next week!

Building software for the DoD shouldn’t be a constant battle with access. We know, because we’ve been there. We built VIA’s Zero Trust Fabric to fix all that.

Try it free

In a world where security breaches are a constant threat and user trust is critical, building a secure authentication system is no longer optional. This is especially true for highly regulated industries like defense and energy, where a single vulnerability can lead to catastrophic consequences.

In addition, when it comes to designing access in highly regulated environments, you can waste weeks on compliance challenges and still not get it right.

That’s exactly why we built VIA’s Zero Trust Fabric (ZTF). ZTF came to life because VIA needed a trustworthy way to manage keys in situations where centralized technology just wouldn't work. The problem wasn't a lack of central key management solutions. Instead, it was the fragmented networks, continuous common vulnerability remediation, and licensing restrictions that made them unusable.

Today, I’m going to show you exactly how to implement VIA’s Zero Trust Fabric (ZTF) authentication system that eliminates passwords entirely and takes less than five minutes to set up.

And the best part? Your users will actually thank you for making their lives easier.

What is ZTF?

Zero Trust Fabric (ZTF) is VIA’s advanced security framework built on the key principle of Zero Trust: “never trust, always verify” (listen to Zero Trust creator John Kindervaag break down Zero Trust principles in 60 seconds). It provides a decentralized passwordless authentication infrastructure that moves beyond traditional perimeter-based security models to protect against modern cybersecurity threats.

You might be thinking, “implementing proper passwordless authentication requires months of development, complex infrastructure, and deep security expertise.” But with solutions like ZTF, this is no longer the case.

Pro-tip: Big players such as Microsoft eliminated 99.9% of their authentication attacks simply by going passwordless.

What you’re about to build

In the next few minutes, you'll create a production-ready React application with:

✅ Passwordless authentication using industry-standard OAuth 2.0 + PKCE

✅ Automatic token refresh, which means no more "session expired" errors

✅ Zero-trust security with JWT validation

✅ Docker containerization for instant deployment

✅ CORS configuration that actually works in production

Did you know: Major enterprises like BMW, Deutsche Bank, and Netflix use similar zero trust architectures.

Prerequisites (Don't skip this)

Before we start, make sure you have:

• ZTF Tutorial Github open

• Node.js 18+ installed

• Docker running on your machine

• 5 minutes of uninterrupted time

• A coffee ☕ (optional but recommended)

Ready? Let's build something amazing.

Step 1: Understand the architecture

Here's the beautiful simplicity of what we're building:

User → React App → Keycloak → JWT Token → Protected Resources

Why this works:

1. User Experience: One-click authentication, no passwords to remember.

2. Security: Public and private key cryptography avoiding centralized passwords.

3. Scalability: Handles high volumes of users thanks to the decentralization of credentials over mobile devices.

4. Developer Experience: Set it up once, forget about auth forever.

Step 2: The magic configuration (where most people mess up)

Here's a configuration that is a great starting point for many developers:

const keycloak = new Keycloak({
  url: "https://auth.solvewithvia.com/auth",
  realm: "ztf_demo", 
  clientId: "localhost-app"
});

// The secret sauce most tutorials don't mention
keycloak.init({ 
  onLoad: "login-required",
  redirectUri: window.location.origin + "/",
  checkLoginIframe: false,        // ← Critical for modern browsers
  responseMode: "query",
  pkceMethod: "S256",             // ← This helps prevent attacks
  enableLogging: true,
  scope: "openid profile email",
  flow: "standard",
  useNonce: true                 // ← Enabled for better security with nonce validation
})

Pro-tip: This configuration is a common, secure pattern used in production environments.

Step 3: Token management gamechanger

Most authentication tutorials teach you how to configure the log in experience. Few teach you how to ensure users stay logged in securely. Here’s an example of how you should handle refresh tokens and log outs for a seamless user experience that follows security best practices.

const setupTokenRefresh = () => {
  keycloak.updateToken(360).then((refreshed) => {
    if (refreshed) {
      console.log('Token refreshed seamlessly');
      // User never knows this happened
    }
    setCurrentToken(keycloak.token);
    setLastTokenUpdate(new Date());
  }).catch((error) => {
    // Graceful fallback - no jarring redirects
    keycloak.login();
  });
};

// Auto-refresh every 5 minutes
setInterval(setupTokenRefresh, 300000);

Pro-tip: Users hate being interrupted. This silent refresh means they can work for hours without thinking about authentication. Happy users = loyal users.

Step 4: Docker deployment

Get production-ready in seconds. Move your React app from development to production by switching from a local development server to a robust, dedicated web server like NGINX.

FROM node:18-alpine as build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build

FROM nginx:alpine
COPY --from=build /app/build /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

One-command deployment:

docker-compose up -d --build

Pro-tip: Feel free to use this production-ready Docker configuration.

Want to take a deeper dive? Check out the full ZTF documentation.

Important: To avoid needing a domain we used HTTP in this tutorial, but don’t forget that your app will need to upgrade to HTTPS before releasing to your users!

Security best practices

Tips for enterprise-grade security:

1. Memory storage: Tokens in memory, never localStorage (prevents XSS attacks).

2. HTTPS everywhere: Non-negotiable in production.

3. Restrictive cross origin authorization between ZTF and the application: Only allow necessary origins.

4. Backend validation: Always validate tokens server-side.

These practices are mandated by security frameworks like NIST, OWASP, and used by financial institutions processing trillions of dollars.

Troubleshooting

Common issues that slow down developers.

1. “Invalid nonce” errors? → If you encounter nonce validation errors, ensure your keycloak-js version matches your Keycloak deployment version. Current configuration uses ‘useNonce: true’ with Keycloak 25.0.6

2. CORS nightmares? → Check Keycloak client's Web Origins

3. Redirect loops? → Verify valid redirect URIs match exactly

This troubleshooting section alone could save you hours of debugging. You’re welcome!

What you've just accomplished

Stop and appreciate what you've built.

✅ Enterprise-grade security that help you go passwordless like Fortune 500 companies

✅ Seamless user experience that removes friction

✅ Production-ready deployment with zero configuration hassle

✅ Automatic token management that works seamlessly

✅ Future-proof architecture that scales to millions of users

Implementation challenge

Here's my challenge for you.

1. Today: Clone this repository and get it running locally.

2. This week: Adapt the configuration for your own project.

3. Share: Tell me about your implementation on LinkedIn or X.

Why this matters: Every day you delay implementing proper authentication, you're exposing your users and your business to unnecessary risk.

Join the passwordless revolution

The facts are undeniable.

• Passwords are a primary factor in many data breaches.

• Users abandon apps with complex auth flows.

• Passwordless auth increases user engagement.

• Implementation takes less time than reading this article.

The question isn't whether you should implement passwordless authentication.

The question is: What's stopping you?

ZTF Authentication Resources

Want to go deeper? Here are the resources that shaped this tutorial.

• ZTF Documentation

• Keycloak JS Documentation

• OAuth 2.0 PKCE Specification

• OWASP Authentication Guidelines

• Zero Trust Architecture (NIST)

About the author

Jesus Cardenes, VIA's Senior Vice President, Product Architecture, is responsible for the technical roadmap and architectural design of all VIA products and its Web3 platform. He is known for his expertise in connecting technologies and platforms to create seamless user experiences. An interesting fact about Jesus is that he competed in the junior roller hockey national club finals in Spain!

Building software for the DoD shouldn't be a constant battle with access. We know, because we've been there. We built VIA's Zero Trust Fabric to fix all that.

Try it free

What’s inside:

• “The risky business of software development: five tips for becoming fluent in risk”

• Resources: DoD’s current Risk Management Framework (RMF) explained, a risk analysis overview

• The weekly brief: A new RMF in the works, a guide to security chaos engineering, and an upcoming tutorial on how to build military-grade authentication

The risky business of software development: five tips for becoming fluent in risk

Ok, we know you’re picturing Tom Cruise sliding across a hardwood floor in his underwear, mic in hand (er, candlestick?). But that’s not where we’re going with this… building software is risky business. And while risk management may not appear in the qualifications for a software engineer job posting, understanding, managing, and mitigating risk is an implicit requirement for dev teams working with the DoD.

First, a very quick introduction to key terms related to risk. As an engineer, an important part of your job is protecting information and information systems. From what exactly? “Risks that arise from the loss of confidentiality, integrity, or availability of information or information systems,” according to the folks at the National Institute of Standards and Technology (NIST).

Here are examples of confidentiality, integrity, and availability:

• Confidentiality: Only authorized personnel can access intelligence reports.

• Integrity: GPS coordinates aren’t altered by threat actors.

• Availability: Secure networks stay online even during a cyberattack. Ironically, well-meaning but cumbersome security controls can also disrupt availability by slowing down authorized users.

Building software always involves risk. Some risks, like a brief service disruption for a rarely-used feature, may be unlikely and have minor impact. Others, such as a data breach from an unpatched vulnerability, can lead to lost contracts, fines, lawsuits, or even put your organization out of business. More critically, you put the mission, and the Nation, at risk.

Five tips for building risk fluency

1. Accept that managing risk is part of your job. In fact, DevSecOps is a method for managing risk, ensuring dev teams are thinking about security as soon as a product or feature is a twinkle in their eye, through planning, implementation, and the entire lifecycle of a product.

• Bonus: Once you get past denial and into acceptance, you’ll see that risk management is a creative, cross-disciplinary exercise that often improves efficiency, the user experience, and security.

2. Focus on risk, not checkboxes. Yeah, yeah, we know compliance is not security. Devs need to go deeper, understanding the risk that underpins compliance. For example, you may have to protect the system with multi-factor authentication, but you have some flexibility in exactly how that is implemented to provide flexibility and usability to support your users. In other words, you don’t have to just check a box, you can provide an optimal experience (as emphasized in our recent VIA Knowledge Hub podcast episode with Michael Frank, Deputy CTO for the Department of the Navy).

• Bonus: This approach also leads to more productive conversations with compliance leaders and the DoD.

3. Drag risk into the sunlight. Get comfortable participating in cross-disciplinary risk assessments, where you’ll identify risks, score them based on likelihood and impact, and craft a plan to mitigate them. Also, risk assessments are not a one and done, they are an ongoing exercise. In fact, they kind of remind us of Lamb Chop’s Play Along: The Song That Doesn’t End.

• Bonus: As an engineer, you bring unique insight into the risks inherent in your system. Playing an active role highlights your value and strengthens your career path.

4. Use the four risk options: avoid, mitigate (reduce), accept, transfer. As VIA’s Vice President of Software Engineering, John Muddle, advises: avoid risk where possible—for instance, by minimizing third-party dependencies. If you only need one dataclass and minimal validation, for example, it might not make sense to install Pydantic. Instead, use Python’s built-in dataclasses. Other risks should be mitigated (or reduced) with security controls. Be cautious when accepting or transferring risk, as these decisions will face DoD scrutiny. The key is knowing your stack, its risks, and being ready to talk about them.

• Bonus: Your clients in government will feel comfortable putting their trust in you if they feel you not only understand, but are open and upfront about, the risks in your platform.

5. Shift left. The earlier the concept of risk is introduced in the development process, the more likely developers are to minimize risk as they build software for DoD.

• Bonus: Talking about risk from the start moves you closer to the coveted “secure by design” posture.

The bottom line: Trust comes from showing the DoD you understand risk, manage it wisely, and speak about it openly.

Need to know

You have pressing questions about risk…we have answers. So you can move closer to preventing the release of vulnerable code and to achieving a secure by design model. Check out the resources below.

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
Who doesn’t feel better when NIST offers up guidelines? The tenets of this framework are a cornerstone of DoD’s Risk Management Framework (RMF). NIST touts it as providing “a disciplined, structured, and flexible process for managing security and privacy risk.” That, they say, includes elements like information security categorization and continuous monitoring.

Risk Analysis - Know Your Threat Tolerance
Still have questions about risk or want a quick video to share with your team? IBM’s no-nonsense, 5-minute explainer breaks down what these terms mean, why they matter, and gives simple examples anyone can follow.

Take note

With all the information swirling around, it’s hard to know where to focus. Don’t worry, we’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.

This just happened

“DOD CIO to Release New RMF in the Coming Weeks”: MeriTalk
In a renovation worthy of HGTV, Katie Arrington, acting CIO at the Pentagon, has been promising to remake DoD’s Risk Management Framework into a Ten Commandments of sorts for software engineers and others doing business with DoD. It looks like Arrington is finally putting action to words, telling an audience at the Billington CyberSecurity Summit in Washington that new guidance that “retains strong cybersecurity standards without sacrificing speed and innovation” will be landing in the “next couple of weeks.”

Worth your time

The Basics of Software Resilience and Security Chaos Engineering
All this risk talk can make your eyes glaze over and makes you lose sight of what the ultimate goal is: to build more resilient systems. Kelly Shortridge’s book Security Chaos Engineering: Sustaining Resilience in Software and Systems offers a great introduction to the principles behind resilience and systems thinking, including the helpful reframing of “treating resilience—security included—as a product.” This blog post overview of her book is an excellent resource for engineers.

Don’t miss this

Later this week, check out the tutorial “How I built military-grade authentication in five minutes (and why your users will love going passwordless)” from Jesus Cardenes, VIA’s Senior Vice President, Product Architecture.

Building software for the DoD often means battling with access challenges. We know, because we've been there. We built VIA's Zero Trust Fabric to fix all that.

Try it out free

Bottom line: know the mission, know your product, and flash your risk math prowess. That’s how commercial teams win in defense.

Key takeaways:

• DoD work = hardest, most meaningful problems. The kind that attracts top talent and spins out dual-use breakthroughs.

• Use dual-use to your advantage. Navy focus areas (cyber, threat intel, AI, quantum/PQC) let you build once and win in both defense and commercial markets.

• One product, one UX. There shouldn’t be an “optimal UX for commercial” and “suboptimal UX for DoD.” Great UX should be universal.

• Speed vs. security is a choice. Understand and own it. In other words, skip controls now, pay the price later. Mike says it’s important for teams to understand “Everything we engineer, everything we build, must be secure from day one. That must be the priority.”

• Mike’s team embraces “secure by design.” Engineering and security leaders take note: bake in compliance up front and give engineers paved roads, not bolt-ons.

• Great partners adapt and communicate. Just like in any healthy, thriving relationship, they learn how to work with the government, they’re great communicators, they know how to push back (the DoD doesn’t expect “bespoke everything”) but also remain flexible and recognize there are DoD-specific constraints.

• Get fluent in risk. Conduct a risk assessment, have a deep understanding of what risks exist and what you’re doing about them. This is evidence you understand both your product and the broader mission.

About Michael Frank

Michael Frank is the Deputy Chief Technology Officer for the Department of the Navy. In addition to his role as Deputy CTO, he’s also currently Cyber Portfolio Lead for the Marine Innovation Unit as a Marine Reservist.

Mike is an expert at navigating the unique challenges of the DoD and part of his role is helping organizations work successfully with the Department of the Navy. In other words, Mike's the person you want on your team! What's especially great about Mike is his 360-degree view. He’s consulted for both public and private sectors, so he truly understands the landscape. He's seen it all.

After college, Mike served for four years on active duty in the Marine Corps as a communications officer. He continued (and continues!) his service in the reserves, where he established Defensive Cyber Operations (DCO) Companies. Simultaneously, he earned his MBA and worked in consulting at Accenture and Boston Consulting Group (BCG).

At Accenture and BCG, Mike worked with various DoD organizations, consulted on cyber issues for the Department of Energy and Department of State, and advised banks, insurance companies, and healthcare companies. Basically, he’s got a ton of experience understanding and solving critical problems for all sorts of organizations.

Like this podcast episode? We’d love if you shared it!

Building software for the DoD shouldn't be a constant battle with access. We know, because we've been there. We built VIA's Zero Trust Fabric to fix all that.

See how it works

What’s inside:

• DoD dev: John Muddle’s top five tips for overcoming DoD compliance challenges

• Resources: DevSecOps definitions and requirements, Authority to Operate (ATO) explained

• Take note: DevSecOps updates at the DoD, AI Cyber Challenge by DARPA, and an upcoming interview with Mike Frank, Deputy Chief Technology Officer, Department of the Navy CIO

DoD dev: John Muddle's top five

As VP of Software Engineering at VIA, John Muddle is no stranger to the compliance challenges of developing software for the Department of Defense (DoD). He may jokingly claim he embraced DevSecOps “before it was cool” (wait, is John implying DevSecOps is cool now?), but John was instrumental in VIA’s early efforts to meet the security controls for IL 2, 4, and 6. Read on to see his must-haves for navigating and conquering DoD’s compliance maze.

Handling DoD data in the cloud? You’ll need to become familiar with IL (“impact levels) 2, 4, 5, and 6.

John’s top five key takeaways for dev teams working with the DoD:

• Build on top of secure and lean base images. Start by using hardened base images with minimal vulnerabilities. The choice of operating system is also critical. Python packages must be compatible with the right underlying C library.

  • Pro tip: Initially tap Iron Bank, Chainguard, or Docker for hardened base images.

• Minimize third-party dependencies. Reduce external dependencies to limit potential vulnerabilities and shrink the attack surface.

  • Pro tip: If you only need one dataclass and minimal validation, for example, it might not make sense to install Pydantic. Instead, use Python’s built-in dataclasses.

• Embrace "shift left" for code scanning. Integrate code scanning early in the development lifecycle to proactively identify and address security issues.

  • Pro tip: Check out Trivy or Grype, both open source vulnerability scanners.

• Understand your entire stack. Compliance extends to the entire software stack, including the OS, dependencies, and processor. Without a comprehensive understanding of your full stack’s vulnerability profile you’ll leave your organization open to exploitation.

  • Pro tip: If you don’t know what processor you're using (which is surprisingly commonplace), then find out.

• Be strategic with vulnerability management. You have three options when it comes to vulnerabilities and working with the DoD:

  • 1. Ask if the problematic code is really necessary. If not, remove it.

  • 2. Refactor your code or upgrade the library.

  • 3. If those options don’t apply, then justify the vulnerability. But know that will be a hard sell.

  • Pro tip: Check out CISA’s Known Exploited Vulnerabilities (KEV) Catalog and NIST’s National Vulnerability Database (NVD)

Need to know

You have pressing compliance questions…we have answers. So you can build faster and get back to shipping. Check out the resources below.

1. Rapid Assess and Incorporate Software Engineering 2.0 Implementation Guide

   If you need to wrap your head around DevSecOps guidelines, definitions, and requirements, our engineers recommend starting with this guide, designed to enable the Department of the Navy Digital Warfighter to respond quickly to the “evolving demands of cyber warfare and achieve a continuous cyber readiness.”

   Author: the Department of the Navy Chief Information Officer

2. What is Authority to Operate (ATO)?

   Selling your software to the DoD may require an Authority to Operate (ATO) first. Don’t know what this means? Hint: “It’s a status that approves an IT system for use in a particular organization.” This article explains the process, what to expect, and how to overcome common obstacles.

   Author: Second Front

Take note

With all the information swirling around, it’s hard to know where to focus. Don’t worry, we’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.

This just happened

“DOD Expands DevSecOps to Accelerate Software Deployment”: GOVCIO Media & Research (article)

Worth your time

“Andrew Carney (DARPA: Defense Advanced Research Projects Agency) gives an inside look into AI Cyber Challenge”: Resilient Cyber (Video)

Resilient Cyber

Resilient Cyber w Andrew Carney DARPA AI Cyber Challenge AIxCC

In this episode, I interview Andrew Carney, the Program Manager for DARPA's AI Cyber Challenge (AIxCC…

Listen now

7 months ago · 9 likes · Chris Hughes

Don’t miss this

Exclusive interview with Mike Frank, Deputy Chief Technology Officer and Department of the Navy Chief Information Officer. Watch it now!