RivasSec

Infrastructure. Security. Insight.

Field notes on infrastructure security, cloud hardening, Kubernetes, IAM, and OSINT by RivasSec.

Bandit-Clean Pwnagotchi Plugins: How `subprocess` Goes From Risk to Routine

Posted on Wed 10 June 2026 in DevSecOps • 9 min read

pwnagotchi
python
bandit
subprocess
security
supply-chain
hardening

Pwnagotchi plugins live one shell=True away from local code execution. Walking through the hardening of bt-tether-multi against Bandit B602/B603/B607: full-path resolution with shutil.which(), argv-list invocations, MAC and name validation, and the # nosec discipline. The patterns generalize to anything that shells out from Python.

TLS Has Three Jobs. Forget the Rest.

Posted on Thu 04 June 2026 in DevSecOps • 5 min read

tls
cryptography
security
infrastructure
pki
mtls
operations

TLS gets easier when you stop walking the handshake step by step and start naming what it is for. It does three jobs. Once those are anchored, the protocol stops being a memorization problem and becomes a design problem.