Welcome to the first post of my as-of-yet unnamed Newsletter! Nice to meet you, let’s introduce everyone in the room.

You are an application security practitioner, decision maker, or leader faced with the challenge of getting developers to build better software. There’s a lot of news happening but you’re having a hard time figuring out what news and intel is actionable and what’s fluff. Things like ransomware aren’t what keep you up at night, but the fact that Log4J introduced a whole new class of JNDI injection and nobody seemed to care does. 

I am a mid-level appsec professional who gets to spend a lot of time thinking about systemic problems that lead to software vulnerabilities. My time is split between making sense of news stories so we can learn lessons from those who didn’t learn from past mistakes, helping appsec managers build programs that let smart people do smart things, and thinking about the questions that I’m going to be asked about in a year so we have answers much sooner.

If you’re still here and reading this, then you might be interested in following along with my rants and rambles. I’m not going to commit to something weekly, but I’ll probably drop a couple hundred words whenever something particularly interesting comes along. 

Right now, if you’re interested in how AI and ML will be a blessing and a curse to software security, federal cybersecurity regulations like the SSDF and EO, and how all this affects people, then you might want to stick around and for some of my thoughts and musings.