Dummy text is text that is used in the publishing industry or by web designers to occupy the space which will later be filled with ‘real’ content. This is required when, for example, the final text is not yet available
In my previous blog post, I introduced the topic of applying behavioral economics to application security programs, using proven behavioral economic interventions to help us avoid known bad developer behaviors (including ones I know I am guilty of). In this post I am going to cover building systems that support secure developer behavior, that can…
When we talk about the software supply chain security, most people think only of dependencies (open-source libraries and frameworks). But the supply chain is so much more than just that. It’s everything we use to build, test, and release our software: our IDE (and all those wonderful extensions), our CI/CD pipelines (including every script, config,…
Recently, I had a great conversation with my friend Adam Shostack about a petition I started for the Canadian government to adopt a Secure Coding Policy that I wrote. Adam pointed out that my policy is very specific. Much more so than other government guidance like NIST or CISA’s publications. And he’s right! But I…
Threat modeling is really just a fancy way of saying: “Let’s think about what could go wrong with our software in advance, so we can stop it before it happens.” When we build applications, most of us usually think about features, speed, and usability. Threat modeling adds another viewpoint: security. Instead of waiting for attackers…
