← All posts

June 26, 2026

internal newsletter items - security edition

This edition goes into some security issues and what we can do as testers about them. Plus lots of stuff about AI!

Always With the Learning

UX and security can go hand-in-hand, according to Josh Ben-David in this Medium article . In considering how a person authenticates, it is important to understand the tradeoffs and the ease with which it can be done. A quote attributed to Jared Spool lands hard: “if it’s not usable, it’s not secure.”

Tanya Janca has a great security series on her blog. This is number six in the series. She goes through different practices that make for bad and insecure code. In this one, she argues that lack of documentation is a big culprit. And in our current race to keep up with AI-generated code, it becomes that much more critical.

Threat modeling for developers , by Adam Shostack, goes through a quick mnemonic and question guide for discussing whether applications will be safe before they’ve been written. Instead of security being an afterthought, it can be built in from the beginning.

Caroline Wong appeared on the Application Security Podcast to discuss what security looks like in the age of AI. It’s a really good and thought-provoking podcast.

A FIFA World Cup exploit serves as a good reminder of why security is important. This is a WILD read.

Memesis

“Hackerman: When you type ‘password’ in the password field and it works!”

Model Citizen

Chris Parsons has a deep look at what modern AI engineering looks like, and gives the very astute observation that instead of specifying the solution we’re looking for, the move is to specify the problem with the right amount of context. Teams that can build and test five things in an afternoon (to see what the best option is) because they have the right feedback loops set up are more effective than teams that wait a week for feedback. Worth a read.

As a companion piece to the one above, do check out the Agile Testing Fellowship’s post about spec-driven development. And the LinkedIn post by Antony Marcano that they reference.

This was shared already, but it’s definitely worth amplifying. Birgitta Böckeler writes about harness engineering on Martin Fowler’s site, to help AI better do without your context what it does well in general.

It’s come up a lot, but this post about AI making us busier really resonated.

Callum Akehurst-Ryan has developed a model around whether a team is ready for AI adoption. It’s a maturity model, which some people might have feelings about, but it’s at least a good way of looking at how AI can be used by different teams.

The Work AI Institute released its Work AI Index 2026 about botsitting, productivity at work, and how the most effective people are using AI. If you don’t have much time, skim until section 7, where the actionable tips are for breaking the “botshitting” cycle (not my term!).

The OWASP guide to testing AI is chock-full of good information about things to watch for when building and using AI in products.

Bonus meme!

electrical outlet inside of a sink: “vibe-coded app security”

Odds and Ends in Engineering

This article by Ishalli Garg talks about the difference user-driven design makes for the product (rather than implementation-driven design). It’s a thoughtful look at what can happen when we put the code before the user.