Software Secured

Phishing is no longer the biggest way attackers get in. Exploiting vulnerabilities is. Cisco Talos reports nearly 40% of all intrusions in Q4 2025 started with an exploited flaw. Phishing, the threat that's dominated security awareness training for a decade, has been pushed to second place. This matters for how SaaS companies think about where to invest in security. If most breaches now start with an unpatched or unknown vulnerability, training employees to spot suspicious emails is not the highest-leverage defense anymore. Knowing your actual attack surface is. The other finding that should recalibrate priorities: the window between public vulnerability disclosure and active weaponization is now measured in hours, not weeks. More on risk-based security programs in the link in the first comment. #PenetrationTesting #VulnerabilityManagement #SaaSSecurity

AI features are being shipped faster than they’re being threat modeled. The risk is that prompt injection is a control plane issue. If your AI system can: Access internal tools Retrieve sensitive data Trigger workflows Then, prompt injection becomes a way to pivot across systems. What can your AI do if it’s manipulated? How are teams thinking about this right now? Starting to model it like an attack surface? More info on AI Penetration Testing for LLMs, Agents, & MCP Servers in the comments. #ai #llmsecurity #appsec #cybersecurity

Most security programs are optimizing for the wrong attack surface. Here’s what raw pentest data shows: External network findings consistently dominate all other findings. By an order of magnitude. The internet-facing attack surface is still: the least controlled the most exposed and the most consistently exploitable It’s an accumulation problem. Legacy endpoints that never got retired Shadow infrastructure from past projects Misconfigured services spun up under pressure Partial fixes that created new entry points External exposure is what: Blocks enterprise deals during security reviews Creates incident pathways that bypass internal controls Turns small misconfigurations into public incidents Most organizations don’t have a security problem. They have an exposure management problem.

Business logic vulnerabilities don't have a CVE. They don't show up in your dependency audit. Your scanner won't find them. They exist in the gap between what your app is supposed to do and what an attacker can make it do. Alex Savard wrote a breakdown of how attack chain thinking changes what you actually find in a pentest: → https://lnkd.in/eWFZSSx9 #AppSec #WebSecurity #CyberSecurity #SecureDevelopment

The most dangerous thing in security is a developer who's never been shown what an attack looks like. Usually, it's because they're building features under deadline, and nobody ever showed them what "this API endpoint can be abused" actually means in practice. What actually works: showing developers real vulnerable code, walking through how it gets exploited, and then showing what the fix looks like; side by side. When engineers understand the attacker's thought process, they start asking different questions during code review. "Wait, what happens if someone sends a negative quantity here?" That question catches bugs before they ship. Security isn't a team. It's a habit of mind. https://lnkd.in/eibji2_6 #SecureDevelopment #AppSec #EngineeringCulture #CyberSecurity

The average time to detect a breach is 194 days. Six months of an attacker living in your environment. Mapping your network. Escalating privileges. Exfiltrating data slowly enough not to trigger alerts. By the time you know something happened, the damage is usually already done. This is why "we'll deal with security when something goes wrong" is such a costly strategy. The breach isn't the moment of impact; it's just the moment you find out. Detection is hard. Prevention is the better investment. #CyberSecurity #AppSec #IncidentResponse #SecurityLeadership

Threat modelling doesn't have to be a 3-day workshop. Here's a lightweight version your team can run in an afternoon: Step 1 — Draw your data flows Where does sensitive data enter your system? Where does it go? Where does it leave? If you can't draw this, you definitely can't secure it. Step 2 — Identify trust boundaries Where does one component hand off to another? API to database. Frontend to backend. Your system to a third party. Every boundary is a potential attack surface. Step 3 — Ask STRIDE for each boundary Spoofing. Tampering. Repudiation. Information Disclosure. Denial of Service. Elevation of Privilege. One question per threat category per boundary. Write down what could go wrong. Step 4 — Prioritize by impact, not likelihood A low-probability RCE matters more than a high-probability UI bug that leaks a username. Impact first. Step 5 — Turn findings into tickets Threat modelling that doesn't produce actionable work is just a whiteboard exercise. Save this for your next sprint planning, and if you need help, just reach out: https://lnkd.in/evZSXC5D #ThreatModelling #AppSec #SecureDevelopment #EngineeringLeadership

Broken access control has been the #1 vulnerability on the OWASP® Foundation Top 10 for three years running. It's #1 because it almost never gets caught in code review. It requires an attacker's mindset. Some vulnerability classes are inherently hard to catch without someone actually trying to break your app. #AppSec #OWASP #WebSecurity #CyberSecurity

Happy Hunting!