In my previous blog post, I introduced the topic of applying behavioral economics to application security programs, using proven behavioral economic interventions to help us avoid known bad developer behaviors (including ones I know I am guilty of). In this post I am going to cover building systems that support secure developer behavior, that can…
In this blog series I will explore several known bad developer behaviors that lead to insecure software, as well as how we can combat them by applying behavioral economic interventions. This series is an expansion upon my thoughts from my conference talk ‘Threat Modeling Developer Behavior: The Psychology of Bad Code’.
- By someone who really wants you to succeed! Finding your first job in cybersecurity (which us security nerds call 'InfoSec') can feel overwhelming. There are way too many job titles, technologies, and acronyms to keep track of. There's also no clear career or training pathway to get there (for instance, if you want to…
Recently I hosted a webinar called “Metrics, Models, and Mindsets: The Future of Application Security” with: Spyros Gasteratos – long-time open source maintainer (OpenCRE, OWASP projects) and founder of Smithy Security Aram Hovsepyan– CEO of Codific and a core contributor to OWASP SAMM (Software Assurance Maturity Model Our goal was simple: talk honestly about where…
When we talk about the software supply chain security, most people think only of dependencies (open-source libraries and frameworks). But the supply chain is so much more than just that. It’s everything we use to build, test, and release our software: our IDE (and all those wonderful extensions), our CI/CD pipelines (including every script, config,…
Recently, I had a great conversation with my friend Adam Shostack about a petition I started for the Canadian government to adopt a Secure Coding Policy that I wrote. Adam pointed out that my policy is very specific. Much more so than other government guidance like NIST or CISA’s publications. And he’s right! But I…
I had the opportunity to join an incredible panel at SecTor (a Black Hat event) in Toronto alongside Chad Breslin, Brett Grady, and Ian Hassard. We dove into the world of Vibe Coding! What it is, the risks it introduces, and how to use AI to write safer, more secure code.This video shares my key…
https://www.youtube.com/shorts/wgrIy9Cz0qY I recently flew to Ottawa to record the narration for my second book, Alice and Bob Learn Secure Coding, and it was a LOT of work! From September 1st to to 7th, 2025 I recorded 6 hours a day at The Cave recording studio. Focusing on reading highly technical content (including tons of code),…
Threat modeling is really just a fancy way of saying: “Let’s think about what could go wrong with our software in advance, so we can stop it before it happens.” When we build applications, most of us usually think about features, speed, and usability. Threat modeling adds another viewpoint: security. Instead of waiting for attackers…
I'm headed to Las Vegas for the annual series of events known as 'hacker summer camp': Diana Initiative, Black Hat, Def Con, B-Sides LV, SquadCon, etc. Below is my schedule. Please feel free to come to any of these events to meet up with me, I would love to see you, even if we are…
