In my previous blog post, I introduced the topic of applying behavioral economics to application security programs, using proven behavioral economic interventions to help us avoid known bad developer behaviors (including ones I know I am guilty of). In this post I am going to cover building systems that support secure developer behavior, that can…
In this blog series I will explore several known bad developer behaviors that lead to insecure software, as well as how we can combat them by applying behavioral economic interventions. This series is an expansion upon my thoughts from my conference talk ‘Threat Modeling Developer Behavior: The Psychology of Bad Code’.
When we talk about the software supply chain security, most people think only of dependencies (open-source libraries and frameworks). But the supply chain is so much more than just that. It’s everything we use to build, test, and release our software: our IDE (and all those wonderful extensions), our CI/CD pipelines (including every script, config,…
Recently, I had a great conversation with my friend Adam Shostack about a petition I started for the Canadian government to adopt a Secure Coding Policy that I wrote. Adam pointed out that my policy is very specific. Much more so than other government guidance like NIST or CISA’s publications. And he’s right! But I…
I had the opportunity to join an incredible panel at SecTor (a Black Hat event) in Toronto alongside Chad Breslin, Brett Grady, and Ian Hassard. We dove into the world of Vibe Coding! What it is, the risks it introduces, and how to use AI to write safer, more secure code.This video shares my key…
