Hello

I joined the board for The Forte Group, an advocacy and education non-profit organization that focuses on women in cyber. I’m a founding member, we started in 2020, and I decided it was time to step up and help more. I will be leading their community efforts. I suspect that my choice of how I will contribute to the board is not a surprise to anyone. :-D

I will be heading down to ‘Hacker Summer Camp’ in August, in Las Vegas, USA, to speak at The Diana Initiative, as well as the following villages at Def Con: AppSec Village, Policy Village, and the OWASP room. I plan to publish my schedule just like I did last year, and will also do at least 2 book signings at Black Hat (one with Reversing Labs and another with Semgrep).

Automate Like the AppSec wizard you are.

Still debugging the same glue scripts? Jenkins judging you silently? Smithy.security can help, SaaS or On-Prem. It lets you automate your AppSec workflows without reinventing the CI/CD wheel.Write once, reuse forever without copy-pasting bash pipelines. Use it to run tools exactly when and where you want. Chain actions like “scan --> find false positives --> fix --> open PR --> send polite Slack ”. Build custom workflows with code you actually want to maintain. Plug into anything: GitHub, Jira, Jenkins, a haunted Perl script we don’t judge. It’s like giving your AppSec team an extra pair of hands (that never take PTO).

New Content!

• I interviewed the most charming security professional I know, Laura Bell Main, about secure coding, AppSec, teaching, and gardening on my latest Semgrep webinar. Oh my gosh she had me in a fit of giggles!

• Semgrep Interviews (different ones than last newsletter) recorded at #RSAC:

  • Cristin Flynn Goodwin - Cyber warfare, terrorism, incident handling, and International cyber law (extremely interesting interview)

  • Nariman Aga-Tagiyev - DevSecOps

  • Jason Haddix and Clint Gibler (I am not in this interview, I just really like these guys!)

Events!

• July 2, 2025, 9 am, “Real World AppSec: What does it take?” with my friend Yabing Wang or JustWorks and The Forte Group, virtual, online, free

• July 23, 2025, “Artificial Risks: AI, Games, and Threats”, a Semgrep Webinar, online, free

• July 30th, 8:00 am PST, 30 Tips for Secure Javascript with Wild West Hackin Fest Community, free! Virtual

• August 4, 2025, Diana Initiative, Vegas, NV, USA, in person

• August 6, 2-3 pm, 2025: Book Signing at Reversing Labs booth at Black Hat, in person

• August 8-9, AppSec Village, Policy Village, and the OWASP room at Def Con, dates and times in the next newsletter, in person

• Sept 10 and 11 2025, GoSec in Montreal, Quebec, Canada

• Sept 19th, half day, live, virtual, Anti-Syphon Training Workshop: The OWASP API Security Top Ten 2023 with Tanya Janca, $25-$150 sliding scale

• October - A Canadian Capital surprise

• October 9-10, Wild West Hackin’ Fest - Deadwood, virtual talk!

• November 5, 2025 OWASP 2025 Global AppSec USA (Washington, DC), My training is $850, 1-Day Training: API Security: Hands-On Secure API Design & Hardening

• Nov 6-7, 2025 OWASP 2025 Global AppSec USA DC waiting to see if one of my talks are accepted, but either way I will be there as I get a free ticket for being a trainer.

• December 1-4, NDC Manchester, AI & Security, Manchester, UK, I will be giving security training and also a talk. I can’t wait!

• Feb 10-13, 2026 - Wild West Hackin’ Fest - Mile High, I will be giving training and also a talk! In person!

Random Topics Go Here

Since covid, I’ve become a part of a European community that was new to me, called NDC. It’s a series of 8 conferences per year, for developers and security professionals, across Europe.  At NDC Oslo last month I had the pleasure of interviewing Kjersti Sandberg, founder of the legendary NDC Conferences, about something very exciting — a brand-new AI + security + application development conference coming to Manchester in December 2025! ✨ NDC Manchester, AI & Security✨ 

Survey

Instead of a survey, I am going to answer this question I received from last month’s newsletter from Lynn: Whose job is it to assess an organization’s data for sensitivity, to guide the right level of security? My answer would be “the CISO,” but what if it’s a small shop, or software only shop?

My answer: In a perfect world, the Chief Information Security Officer (CISO) (or their team, often called “InfoSec” or “IT Security”) leads data classification efforts. But in smaller or software-only orgs (where a CISO might not exist) the responsibility is less clear. Which I realize is that classic cop-out “it depends” answer. But let’s look deeper.

Data sensitivity classification is a shared responsibility:

• Product owners or business analysts/reps usually understand what data the application collects and processes.

• Security champions (which you would not likely have in such a situation), devs with security responsibilities, or the lead dev/tech lead of a team can guide how to protect that data appropriately. They understand the data, and hopefully it’s sensitivity. They also have the power to add a label and document it, which is very important.

• Legal or compliance teams (if you have those) could help identify regulatory requirements like PIPEDA, GDPR, or HIPAA that your company needs to follow. Ideally they would create internal policy or other guidance to show everyone else what to do.

If there is no formal role or responsibility for data classification, someone has to step up. Ideally, it should be whoever has the best understanding of both the data and the risks. Even in very small teams, recognizing that “not all data is equally important or valuable” can be the first step toward protecting your sensitive data.

Do you have a question? Let me know! Also, how was my answer?

We end with a meme.