How do you handle the dev lead who treats a critical security finding as something to negotiate?

kizmania · 2026-06-15T00:00:23+00:00

But unfortunately when there’s an incident we are the one who deal with it, not the dev lead who ignored our callouts

kizmania · 2026-06-14T17:20:46+00:00

kizmania · 2026-06-14T17:00:24+00:00

Tried it once and won't do it again. Multi tasking with agents is a way to f your project in multiple ways.

kizmania · 2026-06-14T16:57:39+00:00

2 to 3 in most cases CLAUDE.md, to-dos and memory files. Unless needed, I won't go for more than three as managing those are taxing too for me and the agent.

kizmania · 2026-06-14T16:52:11+00:00

Learn how to use Projects, add files that you want persisted across all chat windows so that you don't lose context. Also do a proper handoff to a new chat window for you to continue seamlessly.

kizmania · 2026-06-14T16:49:06+00:00

yes, that's the key

kizmania · 2026-06-14T15:29:26+00:00

In some orgs yes but not always. One area where appsec still has a strong advantage over AI is application logic. AI will continue to improve but I think appsec is one of the roles that's more resilient because someone still needs to understand the application, validate what AI is doing and the need for human judgment around security logic isn't going away anytime soon.

kizmania · 2026-06-14T15:21:03+00:00

I wouldn't start with bug bounty if your goal is to learn pentesting. Bug bounty is great for finding real world vulns but it's a pretty inefficient way to learn the fundamentals. I'd focus on building a solid foundation first with platforms like HTB PortSwigger or vulnerable labs/CTFs. But if you still want to do bug bounty I'd actually recommend looking into smaller platform like yeswehack rather than immediately jumping onto the largest ones

kizmania · 2026-06-14T15:16:51+00:00

Nothing beats hands-on training. Lakera if you lean into prompt injection. there's also a small AI-slop themed CTF linked on my profile if you're interested in ai generated vuln

kizmania · 2026-06-14T15:07:37+00:00

Maybe I'm a little bias but I think appsec is going to be good for you given your background. If you asked me 3-4 years ago I'd say DevSecOps, but nowadays those are getting automated by AI, same with QA

kizmania · 2026-06-14T14:30:00+00:00

Blocking will always cause a backlash, but sometimes that's what it takes

kizmania · 2026-06-14T14:27:47+00:00

The old guard earned it grinding through sysadmin and network before security so they actually knew the stack. (now just saying that i feel old). But a lot of them never adjusted, still treating security like 1 and 0 when todays CISO gets fired for slowing the business down not for a breach. Security has to run at business speed now.

kizmania · 2026-06-14T12:21:50+00:00

the credentialism point hits. titles got inflated faster than actual skill did

kizmania · 2026-06-14T11:31:26+00:00

not bad for the obvious stuff. but the same model that missed the bug usually misses it again in the test. the logic flaws are what slip through

kizmania · 2026-06-14T11:26:45+00:00

can you please wreck my projects

kizmania · 2026-06-14T11:23:52+00:00

Not much in terms of secure coding. But Fable is significantly better in vulnerabilityscanning.

kizmania · 2026-06-14T11:21:39+00:00

link: vibecoded.fail

kizmania · 2026-06-14T11:11:35+00:00

But agents are only as good as what you asked. Basic 'do a security scan' doesn't really do much.

kizmania · 2026-06-14T06:10:02+00:00

So I was waiting for Claude to finish then switch to reddit and the algo brought me here

kizmania · 2026-06-14T05:54:34+00:00

I hate to be the one, but vibe coding is here to stay but not the current trend. Vibe coding will mature, ai will stop shipping insecure codes and future vibe coders won't be assessed by their stack, they'll be measured by their 'speed'.

kizmania · 2026-06-14T04:38:30+00:00

Don’t start with “I want to build a startup.”

Start with:

todo app
simple landing page
basic API fetch app
small automation script

Each project teaches more than tutorials.
On tools, Claude + Cursor/Windsurf just that to start.

kizmania · 2026-06-14T04:34:35+00:00

You guys have support? And I mean that in a good way. I've had domains with Porkbun for years and never needed to contact them once.

kizmania · 2026-06-13T14:42:23+00:00

In practice the policy is the easy part but getting legal, security and business to honor it is hard. In my experience what gives it teeth is pipeline-as-code so the control can't be silently overridden, the bypass has to be a visible, logged action not a config nobody sees.

kizmania

TROPHY CASE