Hello Everyone!

I’m back from SecTor, OWASP Ottawa, appearances at several virtual events including (Wild West Hackin’ Fest!), an in-person training contract, and visiting my parents in Ontario. I also finished all the audio recording edits for Alice and Bob Learn Secure Coding while I was there (look for it on audible Oct 28th)! Now I’m at home, preparing my small farm for the winter, and I made a little video of how to winterize dahlia tubers (the roots of the plants, they hibernate over the winter) in case you’re curious. I’ve also got a lot of free webinars coming up (with Harness and Smithy!), and a brand new article in StackOverflow. Plus, travel plans for DC (OWASP Global AppSec), and the UK (NDC Security, OWASP London and potentially more events), so please check out the events section if you have time.

FYI, we (the project team) will be releasing the brand new OWASP Top Ten Risks to Web Applications, on stage, at OWASP Global AppSec, in Washington, DC, November 6th!

We Surveyed 250+ Enterprise Security Leaders on Offensive Security Strategy

Praetorian’s 2026 Offensive Security Outlook Report examines how enterprise leaders are thinking about offensive security strategy in 2026, and how offensive measures should inform defensive tactics.

The hard realities are that only 15% of enterprises are confident that they can track their IT asset inventory, and 68% report that they still have thousands of unresolved vulnerabilities. Nearly 30% can’t correlate threat data across sources, which results in material risk creation.

This free 23 page report discusses not only the current industry statistics, but measures that you can take to reduce material risk.

New Content!

• Secure coding in JavaScript, StackOverflow blog post by meeeeeee

• Secure Code Is Critical Infrastructure: Hacking Policy for Public Good, my talk from Def Con (and Sector and OWASP Ottawa), is finally out! If you watch it, perhaps give me a “thumbs up” on YouTube?

• Vibe Check: A Panel Discussion at SecTor 2025 - a blog post and video

• The Katilyst State of Security Champions Report, which I did not write, but it’s really good content so I wanted to include it.

Events!

• November 5, 2025 OWASP 2025 Global AppSec USA (Washington, DC), My training is $850, 1-Day Training: API Security: Hands-On Secure API Design & Hardening - in person - all proceeds go to OWASP Foundation (ticket price - cost of my travel)

• Nov 6-7, 2025 OWASP 2025 Global AppSec USA (Washington, DC), my talk was accepted: Threat Modeling Developer Behaviour: The Psychology of Bad Code - in person

• Nov 6, Book signing and give away at Smithy booth at Global AppSec, 3:00 pm Eastern

• Nov 7, 7:30 am Eastern - Coffee meetup in the morning! Email me back to RSVP

• Nov 12, 1:00 PM - 3:30 PM EST, DevSecOps Summit with Harness! Free and online. I’m doing a fireside chat to open the event with Adam Arellano about AI security in software development. Virtual

• Nov 12, 8:30 to 9:30 am PST: Metrics, Models & Mindsets: The Future of Application Security, with myself, Spyros Gasteratos of Smithy and Aram Hovsepyan of Codific. Tune in for a ‘post OWASP Global AppSec’ panel about what we think the future of AppSec will be! Virtual

• November 27, 2025, evening, in person OWASP Victoria Meetup!

• December 1-2, Training Session at NDC Manchester, AI & Security Secure Coding & API Hardening: Hands-On Secure Design, Development, and Threat Modelling - in person

• December 3-4, NDC Manchester, AI & Security, Manchester, UK, I will be giving TWO talks! in person

• December 5th - OWASP London, in person! Free!

• Feb 10-13, 2026 - Wild West Hackin’ Fest - Mile High, I will be giving training and also a talk! In person!

• March 26 & 27, 2026 - SnowFroc in Denver, CO, USA, I’m the opening keynote so please don’t sleep in! In person

• July 2026: Keynote for DevOpsDays Lima in Peru! That’s right folks, I’m going back to South America! In person

Random

We end with a meme.