How hard can it be?
Breaking stuff is fun, but more often than not, you end up reporting the same vulnerabilities in the same products over and over. How hard can it be to fix them? Right?
Turns out that many of the problems on building secure products aren’t actually technical. You also need to work with people and processes, because in the end people aren’t the weakest link in security - people are the only link.
Why is it that you can find vulnerabilities in web apps with a day or two of training, but the developers still keep making these mistakes? What does it actually take to secure a web app or other product? What’s this talk about secure development process and do you really need that? Shifting left is great, but how much left do you need to shift?