Hi Everyone!

I am currently in San Francisco, missing B-Sides SF, so I can write this month’s newsletter (my life is so glamorous, lol). I’m doing it because 1) I have lots to tell you, 2) I am grateful that you subscribe and therefore I need to keep up my end of the bargain by actually delivering a newsletter each month, and 3) I’m super excited to announce my new podcast!

First things first: I finally released the first episode of DevSec Station: ‘Developers are Targets Now’! It’s currently syndicating to all podcast platforms in audio-only format, and a video version is on YouTube. Each episode will be a short and sweet security lesson for software developers. No guests. No interviews. No fluff. Straight to the point and very short (5-12 minutes). At the end of each lesson I will have an action you can take to protect yourself and your workplace right away. If you watch or listen, I would love feedback! I’m hoping to release one a month, but eventually maybe one a week, it depends on if people like it or not. This is an experiment for me, and it’s really up to all of you as to if it succeeds or not. Help me make it great, by telling my what you think.

Secondly, I’m also FINALLY starting the live streams for my latest book, Alice and Bob Learn Secure Coding. Yes that’s right! Once a month, myself and a guest will spend 2 hours live discussing a chapter of the book, and you can attend (it’s free), ask questions, and nerd out with us! You can also sign up to attend, not attend, and then receive a copy of the recording after, if that’s more your speed. :-D The first event is April 10th, chapter 1 (security fundamentals) with guest Gerald Auger. The following month is chapter 2, with Ray Leblanc, and in June I will have Scott Helme to discuss chapter 3. I’m currently nailing down dates for the rest of the chapters and guests.

MORE: the NEW OWASP Top Ten 2025 is out! Below in the article section, in this very newsletter my friends, I am going to share the secret extra content from the end of the Top Ten, where we wrote about vibe coding!

Lastly, I would like to ask all Canadian subscribers again if you would please call your MP, sign petition e-7115, and make some noise about having a secure coding law in Canada. Seriously, please help! If you aren’t sure what to say, NO PROBLEM. Scroll to the end of this newsletter, I have written an email template you can send or read when you call.

Thank you,

Tanya 💜

New AI report shares insights from 1800+ security professionals

Tines’ new Voice of Security 2026 surveyed over 1,800 global security leaders and practitioners to understand how work is evolving in the age of AI and the barriers that prevent them from unlocking its true value. 

In the report, get industry insights on:

• Why AI governance is becoming non-negotiable

• Which skills matter most as AI reshapes security roles

• Why intelligent workflows are critical to scaling AI safely and effectively

New Content!

• Please call your member of parliament - video

• DevSec Station Episode 1: Developers are Targets Now

• I will try to write the next behavioural economics blog soon! I know this section is pretty light this month, I’ve had a lot going on!

Events!

• March 23-26, RSAC in San Francisco - My talks are “Threat Modeling Developer Behaviour: The Psychology of Bad Code” on the 25th and “Insecure Vibes: Avoiding the Risks of AI-Assisted Coding“ on the 26th

• April 10, 11 am-1 pm PST: Alice and Bob Learn Secure Coding Book Stream: Chapter 1 with Gerald Auger as special guest, you do not need to RSVP if you do not want to, you can just join us live on YouTube the day-of if you don’t need/want reminders.

• April 16 & 17, 2026 - Keynote for SnowFroc in Denver, CO, USA

• April 16th - Agentically Engineered: How AI Agents Are Rewriting the DNA of AppSec - An evening event with Semgrep and meeeeee! In person, open to all. Free.

• May 5-8, 2026 NDC Toronto In person, developer conference

• June 22-26 - OWASP Global AppSec, Vienna, I’m giving training and also a talk on the OWASP Top Ten 2025 with my project teammate Torsten!

• August 3 (Monday) - I’m giving secure coding training in C++ training at Black Hat! OMG THEY ACCEPTED MY TRAINING!

• August, 24-26, 2026 Keynote for Sikkerhetsfestivalen (Security Festival) in Lillehammer, Norway! In person

• September 12-18, Aurora, CO, I am booked to train at CPPcon! A software development conference dedicated to C++, where I will be offering a 2-day training on “Secure Engineering in Modern C++: Preventing Catastrophic Failures 2026“ I’m pumped! They expect 50,000 software developers to attend, holy SMOKES.

Which photo is better? A completely frivolous topic!

Article

Many people are unaware that although there are only ten ‘official’ items on the new OWASP Top Ten 2025, that we added 3 honourable mentions at the end because we just could not help ourselves. Here’s number 13….

X03:2025 Inappropriate Trust in AI Generated Code ('Vibe Coding')

Currently the entire world is talking about and using AI, and this includes software developers. Although there are currently no CVEs or CWEs related to AI generated code, it is well known and documented that AI generated code often contains more vulnerabilities than code written by human beings.

We are seeing software development practices change to include not only code written with the assistance of AI, but code written and committed almost entirely without human oversight (often referred to as vibe coding). Just as it was never a good idea to copy code snippets from blogs or websites without thinking twice, the problem is exacerbated in this case. Good, secure code snippets were and are rare and might be statistically neglected by AI due to system constraints.

How to prevent.

We urge all people who write code to consider the following when using AI:

• You should be able to read and fully understand all code you submit, even if it is written by an AI or copied from an online forum. You are responsible for all code that you commit.

• You should review all AI-assisted code thoroughly for vulnerabilities, ideally with your own eyes and also with security tooling made for this purpose (such as static analysis). Consider using classic code review techniques as described in OWASP Cheat Sheet Series: Secure Code Review.

• Ideally, write your own code, let the AI suggest improvements, check the AI's code, and let the AI make corrections until you are satisfied with the result.

• Consider using a Retrieval Augmented Generation (RAG) server with your own collected and reviewed secure code samples and documentation, such as your organization’s security coding guideline, standard, or policy, and have the RAG server enforce any policies or standards.

• Consider purchasing tooling that implements guardrails for privacy and security for use with your AI(s) of choice.

• Consider purchasing a private AI, ideally with a contract agreement (including a privacy agreement) that the AI is not to be trained on your organization’s data, queries, code or any other sensitive information.

• Consider implementing an Model Context Protocol (MCP) server in-between your IDE and AI, then set it up to enforce the use of your security tooling of choice.

• Implement policies and processes as part of your SDLC to inform developers (and all employees) of how they should and should not use AI within your organization.

• Create a list of good and effective prompts, that take IT security best practices into account. Ideally they should also consider your internal secure coding guidelines. Developers can use this prompts as a starting point for their programs.

• AI is likely to become part of each phase of your system development life cycle, both how to use it effectively and safely. Use it wisely.

• Actually it is not recommended to use vibe coding for complex functions, business critical programs, or programs that are used for a long time.

• Implement technical checks and safeguards against the use of Shadow AI.

• Train your developers on your policies, as well as safe AI usage and best practices for using AI in software development.

We end with a meme.

Canada: You can still help!

1. Sign the Petition: If you haven't already, please sign here: Petition e-7115.

2. Contact Your MP: Reach out to your local MP to express your support for the petition and urge them to vote YES when it's presented during question period. You can find your MP's contact information by entering your postal code here: Find Your MP.

In case you want to call or write your MP…