There's a common misconception among developers that my job, as a (application) Security Engineer, is to just search for security bugs in their code. They may well have seen junior security engineers doing this kind of thing. But, although this can be useful (and is part of the job), it's not what I focus on…

NeilMadden's blog is a resource for developers and software engineers seeking to enhance the security and efficiency of their programs. Covering topics such as secure coding practices, encryption techniques, and vulnerability management strategies, it offers practical insights and actionable advice to mitigate security risks effectively. Through detailed tutorials, code examples, and expert commentary, the blog equips its audience with the knowledge and tools needed to build robust and resilient software solutions in today's digital landscape.

Neil Madden

A senior application security engineer explains why actively hunting for vulnerabilities is the last priority, not the first. Before bug-finding, the real work involves assessing security maturity, improving incident response processes, training developers, establishing secure coding standards, identifying security champions per team, and instrumenting build pipelines with SCA, secret scanning, and SAST. Only once this foundation is in place does systematic vulnerability discovery become productive—otherwise, finding bugs without the organizational infrastructure to handle them creates burnout and leaves the org no better off.

Looking for vulnerabilities is the last thing I do