Why I'm Building StokumNET (And Launching This Blog)

After seven years as a Staff Application Security Engineer at SugarCRM, I stepped away from corporate life to return to something fundamental: building.

In application security, it's easy to focus entirely on breaking things and finding flaws. But I've always believed the best security engineers are the ones who truly understand construction. You can't effectively critique architecture if you've never had to make the trade-offs yourself.

This blog is where I'll document that journey. But first, let me tell you about the project that's consuming my evenings and weekends.

The Origin Story

About fifteen years ago, my father-in-law asked me for a favor. He needed a simple Excel spreadsheet to track what his business bought and sold. Nothing fancy—just a way to see inventory at a glance.

I built it for him over a weekend.

Then came the requests. Could it show statistics by year? Could it track which companies they bought from most? What about debt and credit balances with suppliers? Could it generate graphs?

Over the years, that "simple spreadsheet" grew into something unwieldy. Formulas nested inside formulas. Macros that took forever to run. Every new feature made it slower and harder to maintain. Excel was never designed to be a database, and we were pushing it far beyond its limits.

When I left SugarCRM last October, I finally had time to rebuild it properly.

What StokumNET Actually Is

The name comes from Turkish: "Stokum" means "my stock" or "my inventory," and "Net" means "clear" or "exact." Together: My inventory is exact.

StokumNET is a multi-tenant inventory management platform. Businesses can track products, manage stock levels, record purchases and sales, and understand their operations through data.

Which products are selling more this quarter compared to last year? Which suppliers do we buy from most? Are we carrying too much inventory of items that aren't moving? These are questions that matter to any business managing physical goods.

The platform runs on a modern stack:

Backend: Go with Gin — fast, secure, compiles to a single binary

Frontend: React and Next.js — server-side rendering with smooth client navigation

Database: PostgreSQL — reliable, with row-level security for multi-tenancy

Mobile: Swift for iOS/watchOS, Kotlin for Android

Infrastructure: Containerized microservices on private cloud with encrypted tunneling and centralized secrets management.

I'm also thinking about a simpler use case: a free mobile app for personal inventory. Track household items, share lists with family members, never buy duplicates again.

Why This Matters for Security

Building StokumNET isn't just about solving my father-in-law's spreadsheet problem. It's about staying honest.

For years, I've reviewed other people's architectures, audited their code, and advised them on security. Building a complete application from scratch—handling authentication, designing database schemas, implementing zero-trust architecture, managing secrets, setting up CI/CD—forces me to make the same decisions I've critiqued in others.

Every security recommendation I've ever made looks different when you're the one implementing it at 11 PM, trying to ship a feature. That perspective makes me a better security engineer.

What to Expect on This Blog

I created y.mo.la to share technical deep dives that I hope will help other security professionals and developers. Upcoming posts will cover:

Zero-Trust Infrastructure — How I secured my development environment using encrypted site-to-site tunnels, reverse proxies, and isolated container networks.

Modern API Security — Solving the token refresh challenge in Android and web applications without sacrificing user experience.

The Architecture of StokumNET — A detailed breakdown of how traffic flows from edge to application, and the security decisions at each layer.

StokumNET Security Roadmap — My plans for DevSecOps pipelines, shift-left security tooling, tamper-proof logging, end-to-end encryption, and AI-assisted security—implementing enterprise-grade security practices in a real application.

Lessons from Enterprise AppSec — What I learned managing vulnerability lifecycles for platforms serving thousands of global customers.

Why "y.mo.la"?

"Y" stands for Yafes. I own the mo.la domain and I'm building it into something larger. Eventually, "sec.mo.la"/"security.mo.la" will serve as a security news and research hub—a place for vulnerabilities, incidents, best practices, and community contributions. But for now, this corner of the domain is my personal technical journal.

Let's Build Something Secure

Whether you're a fellow security professional curious about hands-on building, a developer interested in security architecture, or someone evaluating my work—I'm glad you're here.

Subscribe if you want to follow along. And if anything I write sparks a question or an idea, reach out. The best part of sharing knowledge is the conversations that follow.

StokumNET is in active development.