Hi Everyone!

I’m super excited to start the live streams for my latest book soon (this Friday and May 10th), and thank you all for the amazing feedback about the new podcast, DevSec Station! Please remember to give me a review (hopefully a good one) and share it with friends.

Right now I’m having a lot of thoughts about how AI is changing literally everything we do, how developers are becoming the new attack surface (especially for mature/advanced threat actors) and, of course, behavioural economics (see article below). If you got to choose which of these subjects I wrote about, which one would you choose? Just reply to tell me your thoughts.

I am once again asking: Canadian subscribers please call your MP about petition e-7115. Seriously Canada! We could lead the way on secure coding worldwide with the first law, and this is our chance! Many of you have told me you care, but actions speak louder than words, so show me you mean it by talking to your MP. Pretty please. 🙏 Suggestions on what to say at the end of the newsletter. Also, yes, ChatGPT made that silly image. It even kinda looks like me!

Lastly, for the “which photo is best” frivolous question last month: IT WAS A PERFECT TIE! So I will use both. 🥰 Thank you to all of you who answered my silly survey.

Thank you,

Tanya 💜

Most AI projects stall. Robinhood’s didn’t.

88% of AI proof-of-concepts never make it to production, according to IDC.

That wasn’t the case for Robinhood.

On April 23rd, join the Robinhood team live as they walk through their journey with AI, from evaluation to production. You’ll hear first-hand how they:

• Doubled alert triage capacity across all severity levels

• Built multi-agent AI systems to handle complex investigations

• Use human-in-the-loop guardrails and confidence scoring to maintain accuracy

If you're interested in maximizing your AI investment, this is the live session for you.

New Content!

• The Psychology of Bad Code Part 4 - Copy Paste

• Anthropic employee error exposes Claude Code source (I’m quoted, article by Howard Solomon)

• DevSec Station Episode 1: Developers are Targets Now, episode 2 coming shortly

Events!

• April 10, 11 am-1 pm PST: Alice and Bob Learn Secure Coding Book Stream: Chapter 1 with Gerald Auger as special guest, you do not need to RSVP if you do not want to, you can just join us live on YouTube the day-of if you don’t need/want reminders.

• April 16 & 17, 2026 - Keynote for SnowFroc in Denver, CO, USA

• April 16th - Agentically Engineered: How AI Agents Are Rewriting the DNA of AppSec - An evening event with Semgrep and meeeeee! In person, open to all. Free.

• May 5-8, 2026 NDC Toronto In person, developer conference

• May 10, 11 am-1 pm PST: Alice and Bob Learn Secure Coding Book Stream: Chapter 2 with Ray Leblanc as special guest, you do not need to RSVP if you do not want to, you can just join us live on YouTube the day-of if you don’t need/want reminders.

• June 22-26 - OWASP Global AppSec, Vienna, I’m giving training and also a talk on the OWASP Top Ten 2025 with my project teammate Torsten!

• August 3 (Monday) - I’m giving secure coding training in C++ training at Black Hat! OMG THEY ACCEPTED MY TRAINING! I also submitted a talk, maybe the world will turn upside down and they will accept that too? 😛 

• August, 24-26, 2026 Keynote for Sikkerhetsfestivalen (Security Festival) in Lillehammer, Norway! In person

• September 12-18, Aurora, CO, I am booked to train at CPPcon! A software development conference dedicated to C++, where I will be offering a 2-day training on “Secure Engineering in Modern C++: Preventing Catastrophic Failures 2026“ I’m pumped! They expect 50,000 software developers to attend, holy SMOKES.

Article

The Psychology of Bad Code Part 4 – Copy Paste

The behaviour: Copy and Pasting from online forums

What this looks like in the real world

• Copying code from Stack Overflow, GitHub, blog posts, or comments without fully understanding it or verifying assumptions.

• Submitting this copied code as your own without proper verification, because it’s been upvoted to the top (plus it compiles!).

• Reusing custom code for security controls that you do not understand

• Pasting copied code during an incident or other stressful time with the plan to replace it ‘later’, but later is never

This often shows up when we are stuck, frustrated, or rushed. This is often used to solve complex syntax or integration issues.

Behavioural biases at play

• Authority bias: If many people upvoted it, it must be correct.

• Availability heuristic: The easiest answer to find feels like the best one.

• Social proof: “If everyone else is using this, it’s probably fine.”

These biases are based both on trust (authority bias and social proof), and to help us conserve mental energy (all 3). Trusting authority figures often works out well. And we, as knowledge workers, always want to reduce cognitive load.

Why this behaviour makes sense in the moment

• Documentation is often unavailable, out of date, hard to search, your problem is not covered

• Official examples are frequently incomplete/not your edge case situation

• Forums feel (are) faster and more human than using an AI or official docs

• The code “worked for someone else” (many someone else’s)

• We are rewarded for unblocking ourselves/releasing/finding a solution quickly

This is not reckless. It’s efficient, in the moment. And frankly, it usually does work out well. That’s why so many of us do it. Unfortunately, most developers are unaware that the ‘top upvoted solution’ is usually also the least-secure answer.

The security risk

• Security trade offs are not documented, and often security features are turned off to ensure “it just works”

• Posts are often outdated, old, perhaps libraries are very out of date

• The person posting the solution has no idea what use case you have

• People upvote things based on ‘it compiles’ not ‘it’s safe’

• No security review of any of this, ever

This is how the AI has ended up trained on insecure patterns. It spent a lot of time on these forums as part of it’s training.

Solutions:

Training

Training developers on how to review code, that ‘the upvoted solution is not necessarily secure’, and that they are responsible for what the commit contains, is a start. But we already know training alone isn’t enough to solve any of these systemic problems. Why?

• People may not remember or prioritize rules when stuck and frustrated

• Search results don’t come with warnings (maybe they should?)

• Most developers are rewarded based on speed, not verification (raises and promotions for fast features, punishment only if something goes wrong, and breaches seem rare)

Another idea for this category: Create a technical library (a bookshelf where anyone can borrow anything) and add copies of both my books, and several other security books you like. Then tell the developers the books are there, and that they can request other books they want. Don’t have due dates, just email them after a month and ask if they like the book so far. If they are reading it, let them have it as long as they want, it’s a win.

Secure Defaults

If developers are going to copy-paste anyway (because they are), let’s give them safer things to copy. Lean in.

• Create and maintain an internal library of approved, secure code examples. Include all the security controls you can: how to implement the secret management tool, your identity/session management/AuthN, functions for authorization/access control, regex for input validation (including unit tests to make sure you got it juuuuust right)

• If you can add a check list for code review as part of your pull request process, that could also be helpful (assuming it’s not ignored). Be reasonable with this list, if it’s too long, you will not get what you want.

• If you can force an additional reviewer for when they’ve changed or added security controls, that would be a nice point of friction to ensure it’s given more attention.

Environmental Design

Ideally, we want to put guidance where decisions happen. If someone pastes code into an IDE, can we flag known risky patterns? Something like: “This pattern matches a known insecure pattern (CWE-###). Please review.” I know some SAST do this, but I suspect AI will soon do it for us too. Perhaps the IDE should also alert when a bunch of code ‘suddenly appears’ with “Hey, it looks like you just did a big copy/paste, did you get that code from a place you trust? If not, please review carefully.”

This kind of nudge or pause, right at the moment of decision, can be more effective than a training session from six months ago. But combining both might be a better option.

Friction

If someone pastes in long, complex, or security-sensitive code, require a short explanation before merge. If you can’t explain what it does, you probably shouldn’t be committing it. Right? ** This isn’t about slowing people down. It’s about making them think when we need them to think. When they are making an important decision. Remember: The rest of time we want the security guardrails to be invisible unless something is going wrong.

** Note: recently Anthropic released a paper stating people are not actually reviewing AI generated code, especially complex, multi-file bug fixes. The “human in the loop” advice appears not to be something most of us are doing in practice. While I greatly appreciate the honesty from Anthropic (truly), it’s disheartening. Again, I don’t feel this is “developers not caring”. I theorize they are currently panicking as many people they know are losing their jobs to AI and if someone else can commit 10,000 lines of code a day in the cubicle next to them, they better be able to do it too. I feel like developers and many other knowledge workers are under so much pressure I’m surprised we don’t all turn into diamonds. I’m concerned too folks. 💜 

Social / Cultural

We need to normalize being able to say: “I don’t trust this code.” And honestly, building psychological safety in a professional setting is hard. When I switched from being a developer, to a manager (briefly), then into security, then back and forth from management/ DevRel/ trainer/ AppSec/ IR, I had to learn to communicate a lot better. I had to learn persuasion, negotiation, how to explain technical things to really smart people who aren’t-so-technical, among other communication skills. If you lead a team of developers, ensuring they feel okay to discuss such things, and bringing up topics like this at team gatherings, will get you a lot further than hoping they start these conversations for themselves.

Conclusion

Copy-pasting isn’t the whole problem. Copy-pasting without understanding, verification, or guardrails is the problem. Let’s design systems to make this harder to do.

Up next…. Shiny new tech obsession!

We end with a meme.

Canada: You can still help!

1. Sign the Petition: If you haven't already, please sign here: Petition e-7115.

2. Contact Your MP: Reach out to your local MP to express your support for the petition and urge them to vote YES when it's presented during question period. You can find your MP's contact information by entering your postal code here: Find Your MP.

In case you want to call or write your MP…

Subject: Please Support Petition e-7115 (Secure Coding in Government)

Dear [MP’s Name],

I’m writing as a constituent from [Your Riding] to ask for your support of Petition e-7115, which calls for mandatory secure coding practices across federal departments and Crown corporations.

Right now, much of the software our government relies on is built without consistent, enforced security standards. That creates unnecessary risk, not just for government systems, but for the Canadians who depend on them. We’ve all seen how costly and disruptive preventable vulnerabilities can be.

This petition is a practical step forward. Secure coding standards are well understood, widely used in industry, and proven to reduce risk when applied consistently. Adopting them at the federal level would help prevent issues before they happen, rather than reacting after the damage is done.

I hope you will support this petition and advocate for stronger, proactive cybersecurity measures in government systems.

Thank you for your time and for representing our community.

Sincerely,
[Your Name]
[Your Postal Code]