Blog
Practical notes on AWS architecture, serverless builds, Java on Lambda, AI workflows, and running a Swiss software practice. No hot takes, just things that worked (or did not).
Three pieces of evidence on why WordPress sites are a concrete security risk for Swiss SMEs. With sources from the Federal Office for Cybersecurity (BACS), Patchstack and Wordfence.
Read post →Even when you avoid the self-built login and go with Cognito plus Lambda@Edge, there is a layer of traps that no AWS reference blog mentions. Four traps in a fixed order, because each one is entered because the previous one was handled correctly. The most expensive hour of the setup had nothing to do with cryptography. It went into figuring out which of two CDK stacks has to deploy first. Resolution in three steps.
Read post →2700 measurements on AWS Lambda in eu-central-2, arm64. Four runtimes side by side: Quarkus JVM, Quarkus Native, Node 24, JVM with SnapStart. Init Duration is memory-independent for three of four. JVM at 512 MB takes 5.8 seconds to first response, native and Node sit under 600 ms. And SnapStart without priming actually makes things worse. The data, the methodology, and what to take away.
Read post →My first attempt at sending a verification email from AWS Cognito was a full SMTP server of my own. Locally it ran. In AWS, not a single mail got through. Three traps later, the system was running in production: outbound port 25 blocked, SES API-only in eu-central-2 (Zurich), and KMS envelope encryption colliding with JVM cold starts and Cognito's retry logic. Architecture, runtime trade-offs, and an idempotency line of defense.
Read post →In 2024 I built a full marketplace app: iOS, Android, AWS backend, payments, three-language marketing. Zero users. The lesson from Rentaside on product-market fit, the marketplace cold start, and what three decades of code don't teach you.
Read post →Bastion hosts cost $43.80 a year just for the public IP, plus patching and key rotation. EC2 Instance Connect Endpoint is free but drops after one hour. Fargate ephemeral gives you serverless-on-demand tunnels with no session cap. Three options, one decision.
Read post →"I'll just quickly build the login." That's the sentence that starts every other SaaS disaster. Password hashing, MFA, passkeys, token rotation, audit logs, FADP compliance. Why Cognito, Lambda@Edge, and API Gateway solve it cleanly in three layers, and why you should never build this yourself.
Read post →Standard Lambda has a home region, often a continent away from the user. Lambda@Edge runs at 400+ CloudFront edge locations. The four trigger points, real use cases (edge auth, security headers, geolocation routing), the hard limits, and what's running in production at SCMC.
Read post →