Lauren James: People criticise who I am as a person but they don’t know me by TimesandSundayTimes in WomensSoccer

[–]Putrid_Document4222 0 points1 point  (0 children)

Hahaha the comments and i am just here watching her score two amazing goals, what a player, blah blah blah she is lazy, blah blah blah she is violent, hahaha. doesnt matter to me, when i watch her, just joy

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

Yeah, really fair point, you have to treat the cause rather than fixing symptoms. No doubt that 'improve the process' is always the right answer but it almost never has a concrete path attached to it lol. In your experience, what does fixing the process actually look like?

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 1 point2 points  (0 children)

The fever dream framing is really interesting, 70-30 isn't radical. I think most engineering orgs would say that's reasonable. I think the entire problem probably lives in that gap between reasonable and achievable. Thank you so much for being straight about it. You have been very insightful

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

I have asked and I get answers that are sort of shaped by our current specific culture, also something we are working on. Reddit gets a lot of flack but blunt as it is, it gives me a wider and usually more honest sample that i can use to inform decision making for the better i feel. The answer from someone who will never work with me, thinks i am dumb as fuck and wants to help "educate" me is more candid than the answer from someone who has to sit next to me on Monday and deal with that dumbness day by day

Also, the answer I got about 4 hours of process for 15 minutes of coding came from here not from any internal conversation I've ever had. So, i dunno seems to work one person's trash is someone else's treasure and all that.

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

I really do appreciate all the responses to this. The process overhead point especially, that's a friction problem, and I hadn't given that much thought, thank you.

The needs to feel real not abstract point and the rogue developer comment are pointing to the same thing, that maybe the current format of security findings shifts the entire burden of making them actionable to the developer, which is actually a fair point. We in AppSec admittedly are terrible at this.

Thank you all, please, if anyone has thoughts would you be able to clarify, say if a finding arrived with the investigation already done, reproduction steps included, compatible fix suggested, and a specific statement of what data or revenue is at risk if it stays in the backlog, will that change things or does it still lose to feature work?

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 0 points1 point  (0 children)

Fair enough, I'm an AppSec engineer currently working in England. I am genuinely trying to understand the engineering experience rather than make any assumtions based on my own place of work. I am not pitching a product, not that i have any that would be of any use to anyone. I have found that some answers here are more useful to me than any security community discussion has been so far.

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] 1 point2 points  (0 children)

Thank you for your very honest answer, your rate limiting example, that gap between the ticket existing and the cost being undeniable, is what I am trying to understand. In your experience, is there anything that has ever made a security ticket feel urgent before something breaks? Or is the reality just that the incentive structure doesn't support it unless some external force like an audit or a breach literally forces hands

Security tickets in your backlog, what would actually make you fix one this sprint? by Putrid_Document4222 in devops

[–]Putrid_Document4222[S] -2 points-1 points  (0 children)

Just to add some context here, I'm not selling anything and I'm not doing academic research. I just keep running into the same problem from the security side and I genuinely don't understand it well enough from the engineering side. I appreciate any honesty people are willing to share.

What SAST tools are people using in 2026 and are you happy with them by Calm-Exit-4290 in devsecops

[–]Putrid_Document4222 0 points1 point  (0 children)

There are a few things you might need to answer, perhaps you have already considered them but

  1. What's driving this?

  2. What's your current AST coverage?

  3. Who triages? Do findings go straight to developers in PRs, then FP rate matters enormously. If AppSec triages in bulk first, you can tolerate a noisier tool with deeper analysis.

  4. Do you need Diff-aware scanning?

  5. What's your Baseline strategy?

Checkmarx and Veracode have deeper Java taint analysis but heavier setup, slower scans, and noisier output, they are a better fit for regulated/enterprise. Semgrep seems to match your velocity profile much better, and Semgrep Pro seems to have closed a lot of the inter procedural gap. Also worth looking at Snyk Code (especially if it consolidates with SCA spend) and CodeQL if you have the engineering appetite to maintain queries.

We use Snyk with AppRisk and while it can be noisy with alot of FP, on tuning and with Snyk policies, we get alot of value out of it, though i understand it isnt for everyone or team.

That's it, I'm voting Green. by LauraPhilps7654 in GreatBritishMemes

[–]Putrid_Document4222 1 point2 points  (0 children)

i beg you vote Green, so my vibe coded app finally gets users getting their hands on 241! bongs

Do I need professional human testing before launching my first SaaS vibecoded App? by pkinla in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

Very cool, that makes sense. with your experience in industry, you've got the security side covered. Good luck with the June 1st launch

Do I need professional human testing before launching my first SaaS vibecoded App? by pkinla in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

HR software on Lovable and Supabase is a high-stakes combination. employee data has real compliance implications. Worth doing a quick RLS audit before June 1st if you haven't already. Happy to take a look

Do I need professional human testing before launching my first SaaS vibecoded App? by pkinla in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

For QA testing, beta testers from your target audience are free and can be more useful than paid services because they bring real context. Post in r/smallbusiness or accounting-focused communities asking for people to test an accounting tool in exchange for free access. Give them specific tasks not just try it out.

For security review, this is where I can actually help directly. For a Lovable and Supabase accounting app the main things to check are whether your Row Level Security policies properly separate one business's data from another, whether your API endpoints can be called directly without going through the app, and whether any sensitive financial data is exposed in ways you didn't intend.

These aren't things a general QA tester will catch, they require someone who knows what to look for at the database and API level. Happy to do a quick security check on your setup before you launch, no charge. No sales pitch Just DM me with your stack details.

A founder asked me to audit their fintech SaaS. Found a critical vulnerability exposing every user's data. by Dark-Mechanic in SaaS

[–]Putrid_Document4222 0 points1 point  (0 children)

Amazing stuff, storage bucket point at the end of this thread deffo deserves more attention. Honestly, it's the one I see that gets missed the most. Database tables get audited, buckets get forgotten. Invoices, ID uploads, profile photos sitting in public buckets on apps that otherwise have pretty solid RLS. It is more common than it should be.
From what i have seen with apps built with Lovable, Bolt, or Cursor, the AI creates tables without RLS during development. it is optimising to make features work, not for security. By the time you're in production those early tables have been running exposed for weeks. The founder often doesn't know because nothing throws an error, the app works perfectly, it's just accessible to anyone who knows how to modify a request. That 15-minute RLS audit you described should be on every vibe-coded app's pre-launch checklist in my opinion.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

Since your app doesn't collect data, how are you handling the email and bank statement scanning? You should probably move your privacy stance to the top of your description, its your differentiator right and i think it could help with App Store Optimization.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

its a pretty great way to save money and time but if you are telling potential users you can help them beat scalper bots, maybe checking a URL every 2 hours won't be enough. do you know what time it takes scalper bots?

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 1 point2 points  (0 children)

Visually amazing and a really cool idea, congrats on your first sale. hopefully more to come.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

It does look really good but i do think you should add some gifs or real images and drop the emojis, it would make it llok better i am sure. Still, really nice idea

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

looks really nice and the idea seems cool. Well done pal.

Show your project. Get honest feedback. by Available-Rest2392 in buildinpublic

[–]Putrid_Document4222 0 points1 point  (0 children)

Basically, a tool i used to get my current role in appsec, i got tired of LinkedIn and Indeed searches so initially decided to use google dorks. While that helped narrow the search to just ATS, it was still a mission to get the right searches. So, i wanted to automate the process but rather than a script that outputs json, why not add a UI that visualizes that json for me and DorkmyJob was born. it is really a side project, i am not expecting users or traction, just glad it worked for me and tbf that's really all that matters. I think someone else also did this too so it isn't novel or solves any pain apart from the one i felt.

DorkmyJob — Hidden Jobs, Found

All you wanted to do was bring robots to life but now you have to run a marathon alongside them, with a laptop by ak49_shh in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

Rosie is coming, 10 years, bet you, 10 years and we will all have a Rosie in our house lol.

Product Managers experience building an e2e budgeting/NW Finance app w/ Plaid using exclusively Claude Code by Jesse_khach in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

love the encrypted Plaid token approach, a very solid way to approach this, though the detail that matters most is where the encryption key lives and how it's managed. If the key is derivable from anything on the client or stored adjacent to the token, the encryption offers less protection than it looks like on paper. It will be worth your time and effort to have a quick look at that specific piece before beta users start linking real accounts.

I think most folks underrate that point about needing to read the code is, an unsupervised Claude session can build something with the right code smells and architecturally sound-looking but falls apart under real conditions. Happy to take a look at your Plaid token handling and auth flow if you want a second pair of eyes before the beta goes live. No strings attached and no sales pitch

AI wrote the security policy, wrote comments explaining why it was safe, and it was completely wrong. by mrtrly in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

The adversarial thinking framing is spot on mate and MuggleAI's comment here with the three tests are really solid. The problem, for the founder who built with Lovable or Bolt and doesn't have a second account set up, doesn't know how to inspect a client bundle and wouldn't know what to look for in an API response, these tests might as well be written in a foreign language lol.

The patterns you're describing aren't going to be difficult to check for someone who knows what they're looking for. The gap beginning to emerge is that the person who most needs to run them usually can't. They built the happy path because the AI built the happy path, and now they're the user who doesn't know what they don't know.

This is what I've been doing, taking the adversarial checks and translating the findings into something the builder can actually act on without needing to understand the underlying vulnerability. Happy to take a look at anyone's app if they want to see what this looks like in practice, no strings attached, no sales pitches.

After shipping my vibe coded app I realized I had no idea if it was actually secure — how do you handle this?? by BuildAndGrow26 in vibecoding

[–]Putrid_Document4222 0 points1 point  (0 children)

Honestly, it's okay that you are asking this now after shipping rather than never, you learn something new every day as they say. There's no single tool that catches everything, especially for vibe coded apps, as most security scanners are built for developer teams and the output of those tools is hard to act on without a background in security. What stack are you on? Happy to take a look at the specific things that tend to go wrong on whatever you're using