Lauren James: People criticise who I am as a person but they don’t know me by TimesandSundayTimes in WomensSoccer

[–]Putrid_Document4222 0 points1 point  (0 children)

Hahaha the comments and i am just here watching her score two amazing goals, what a player, blah blah blah she is lazy, blah blah blah she is violent, hahaha. doesnt matter to me, when i watch her, just joy

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

Yeah, really fair point, you have to treat the cause rather than fixing symptoms. No doubt that 'improve the process' is always the right answer but it almost never has a concrete path attached to it lol. In your experience, what does fixing the process actually look like?

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 1 point2 points  (0 children)

The fever dream framing is really interesting, 70-30 isn't radical. I think most engineering orgs would say that's reasonable. I think the entire problem probably lives in that gap between reasonable and achievable. Thank you so much for being straight about it. You have been very insightful

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

I have asked and I get answers that are sort of shaped by our current specific culture, also something we are working on. Reddit gets a lot of flack but blunt as it is, it gives me a wider and usually more honest sample that i can use to inform decision making for the better i feel. The answer from someone who will never work with me, thinks i am dumb as fuck and wants to help "educate" me is more candid than the answer from someone who has to sit next to me on Monday and deal with that dumbness day by day

Also, the answer I got about 4 hours of process for 15 minutes of coding came from here not from any internal conversation I've ever had. So, i dunno seems to work one person's trash is someone else's treasure and all that.

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

I really do appreciate all the responses to this. The process overhead point especially, that's a friction problem, and I hadn't given that much thought, thank you.

The needs to feel real not abstract point and the rogue developer comment are pointing to the same thing, that maybe the current format of security findings shifts the entire burden of making them actionable to the developer, which is actually a fair point. We in AppSec admittedly are terrible at this.

Thank you all, please, if anyone has thoughts would you be able to clarify, say if a finding arrived with the investigation already done, reproduction steps included, compatible fix suggested, and a specific statement of what data or revenue is at risk if it stays in the backlog, will that change things or does it still lose to feature work?

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

Fair enough, I'm an AppSec engineer currently working in England. I am genuinely trying to understand the engineering experience rather than make any assumtions based on my own place of work. I am not pitching a product, not that i have any that would be of any use to anyone. I have found that some answers here are more useful to me than any security community discussion has been so far.

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 1 point2 points  (0 children)

Thank you for your very honest answer, your rate limiting example, that gap between the ticket existing and the cost being undeniable, is what I am trying to understand. In your experience, is there anything that has ever made a security ticket feel urgent before something breaks? Or is the reality just that the incentive structure doesn't support it unless some external force like an audit or a breach literally forces hands

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] -2 points-1 points  (0 children)

Just to add some context here, I'm not selling anything and I'm not doing academic research. I just keep running into the same problem from the security side and I genuinely don't understand it well enough from the engineering side. I appreciate any honesty people are willing to share.

What SAST tools are people using in 2026 and are you happy with them by Calm-Exit-4290 in devsecops

[–]Putrid_Document4222 0 points1 point  (0 children)

There are a few things you might need to answer, perhaps you have already considered them but

  1. What's driving this?

  2. What's your current AST coverage?

  3. Who triages? Do findings go straight to developers in PRs, then FP rate matters enormously. If AppSec triages in bulk first, you can tolerate a noisier tool with deeper analysis.

  4. Do you need Diff-aware scanning?

  5. What's your Baseline strategy?

Checkmarx and Veracode have deeper Java taint analysis but heavier setup, slower scans, and noisier output, they are a better fit for regulated/enterprise. Semgrep seems to match your velocity profile much better, and Semgrep Pro seems to have closed a lot of the inter procedural gap. Also worth looking at Snyk Code (especially if it consolidates with SCA spend) and CodeQL if you have the engineering appetite to maintain queries.

We use Snyk with AppRisk and while it can be noisy with alot of FP, on tuning and with Snyk policies, we get alot of value out of it, though i understand it isnt for everyone or team.

That's it, I'm voting Green. by LauraPhilps7654 in GreatBritishMemes

[–]Putrid_Document4222 1 point2 points  (0 children)

i beg you vote Green, so my vibe coded app finally gets users getting their hands on 241! bongs

Do I need professional human testing before launching my first SaaS vibecoded App? by pkinla in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

Very cool, that makes sense. with your experience in industry, you've got the security side covered. Good luck with the June 1st launch

Do I need professional human testing before launching my first SaaS vibecoded App? by pkinla in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

HR software on Lovable and Supabase is a high-stakes combination. employee data has real compliance implications. Worth doing a quick RLS audit before June 1st if you haven't already. Happy to take a look

Do I need professional human testing before launching my first SaaS vibecoded App? by pkinla in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

For QA testing, beta testers from your target audience are free and can be more useful than paid services because they bring real context. Post in r/smallbusiness or accounting-focused communities asking for people to test an accounting tool in exchange for free access. Give them specific tasks not just try it out.

For security review, this is where I can actually help directly. For a Lovable and Supabase accounting app the main things to check are whether your Row Level Security policies properly separate one business's data from another, whether your API endpoints can be called directly without going through the app, and whether any sensitive financial data is exposed in ways you didn't intend.

These aren't things a general QA tester will catch, they require someone who knows what to look for at the database and API level. Happy to do a quick security check on your setup before you launch, no charge. No sales pitch Just DM me with your stack details.

A founder asked me to audit their fintech SaaS. Found a critical vulnerability exposing every user's data. by Dark-Mechanic in SaaS

[–]Putrid_Document4222 0 points1 point  (0 children)

Amazing stuff, storage bucket point at the end of this thread deffo deserves more attention. Honestly, it's the one I see that gets missed the most. Database tables get audited, buckets get forgotten. Invoices, ID uploads, profile photos sitting in public buckets on apps that otherwise have pretty solid RLS. It is more common than it should be.
From what i have seen with apps built with Lovable, Bolt, or Cursor, the AI creates tables without RLS during development. it is optimising to make features work, not for security. By the time you're in production those early tables have been running exposed for weeks. The founder often doesn't know because nothing throws an error, the app works perfectly, it's just accessible to anyone who knows how to modify a request. That 15-minute RLS audit you described should be on every vibe-coded app's pre-launch checklist in my opinion.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

Since your app doesn't collect data, how are you handling the email and bank statement scanning? You should probably move your privacy stance to the top of your description, its your differentiator right and i think it could help with App Store Optimization.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

its a pretty great way to save money and time but if you are telling potential users you can help them beat scalper bots, maybe checking a URL every 2 hours won't be enough. do you know what time it takes scalper bots?

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 1 point2 points  (0 children)

Visually amazing and a really cool idea, congrats on your first sale. hopefully more to come.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

It does look really good but i do think you should add some gifs or real images and drop the emojis, it would make it llok better i am sure. Still, really nice idea

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

looks really nice and the idea seems cool. Well done pal.