When most developers think about security, they picture vulnerabilities, patches, and scanners. After twenty years working with engineering teams — and cleaning up after a few spectacular breaches — I’ve learned the truth is much simpler: the biggest security failures come from human behavior inside the team.

In this talk, we’ll break down how communication gaps, burnout, unclear ownership, and “we’ll fix it later” culture lead to security holes that no scanner will catch. I’ll share stories from my time at Evernote, Spirit Airlines, and as a fractional CTO where a single rushed decision created months of pain.

Then we’ll get practical. I’ll walk you through a lightweight, developer-friendly security checklist you can use on any PHP project — without slowing delivery. We’ll look at how to design safer defaults, how to avoid common authentication traps, and how to build a culture where secure code becomes the default, not the exception.

You don’t need to be a security engineer to protect your product. You just need to understand how teams actually behave.