Security teams threat model systems, but rarely do we threat model the developers building them. What if some of the most persistent AppSec problems aren’t purely technical—but behavioral?
This talk dives into the psychology of insecure code, using principles from behavioral economics to explain why developers take risky shortcuts, ignore secure practices, or ship code that “just vibes.” From copying insecure Stack Overflow snippets, to skipping documentation, to shipping untested features under tight deadlines—these aren’t personal failings. They’re predictable cognitive patterns influenced by incentives, stress, and how our brains are wired.
We’ll explore how well-known concepts such as present bias, automation bias, the bystander effect, and overconfidence play out in real-world development. Then we’ll shift from insight to action—offering behavioral nudges and design patterns you can apply in your SDLC, tools, and team culture to make secure behavior the default.
This talk blends psychology, security, and dev reality to reframe AppSec—not as a checklist, but as a human system.