This is a series. The first blog post is here, the second is here, and this is the third. For the rest of this series, I am going to follow a similar format for each post/behavior. I will name the behavior, then various biases and heuristics that I believe apply, and then give some examples…
In my previous blog post, I introduced the topic of applying behavioral economics to application security programs, using proven behavioral economic interventions to help us avoid known bad developer behaviors (including ones I know I am guilty of). In this post I am going to cover building systems that support secure developer behavior, that can…
In this blog series I will explore several known bad developer behaviors that lead to insecure software, as well as how we can combat them by applying behavioral economic interventions. This series is an expansion upon my thoughts from my conference talk ‘Threat Modeling Developer Behavior: The Psychology of Bad Code’.
Recently I hosted a webinar called “Metrics, Models, and Mindsets: The Future of Application Security” with: Spyros Gasteratos – long-time open source maintainer (OpenCRE, OWASP projects) and founder of Smithy Security Aram Hovsepyan– CEO of Codific and a core contributor to OWASP SAMM (Software Assurance Maturity Model Our goal was simple: talk honestly about where…
https://www.youtube.com/shorts/wgrIy9Cz0qY I recently flew to Ottawa to record the narration for my second book, Alice and Bob Learn Secure Coding, and it was a LOT of work! From September 1st to to 7th, 2025 I recorded 6 hours a day at The Cave recording studio. Focusing on reading highly technical content (including tons of code),…
Thank you very much to everyone who came to my talk at OWASP Global AppSec in Barcelona! It was so lovely to have the chance to speak to so many of you, and to share our experiences around security champion programs — especially the ways they can go wrong, and how to avoid those situations.…
Saturday April 26th 2025 through to Friday May 2nd I attended RSAC and B-Sides San Francisco, and it was amazing! Let me tell you about my trip!
Black Hat to Def Con, Diana Initiative to SquadCon, invites to see Tanya all week long!
Hey there, fellow security folks! I've got some absolutely incredible news to share with you today. Brace yourself, because I guarantee you'll be just as excited as I am. Drumroll, please... introducing Semgrep Academy! Are you ready to learn all things application security, secure coding, API security, static analysis, and maybe even some functional programming?…
On Oct 29th, 2023, was the very first edition of “ThreatModCon”, a conference dedicated entirely to threat modelling. On the 30th and 31st was “OWASP Global AppSec”, a conference by the OWASP Foundation, dedicated entirely to application security. On November 1st and 2nd, I helped Adam Shostack deliver his 2-day intensive threat modelling training. This…
