What Most Security Teams Miss: An Engineering Manager’s Take on AppSec with Desmond Lamptey

The interview features Desmond Lampy, a seasoned software engineering manager, discussing his journey into becoming a "security champion"—a developer who actively advocates for and contributes to secure coding practices. He explains that traditional security labels like “medium” or “low” often confuse developers about the true urgency of a vulnerability, leading to delays or negligence in remediation. 

Desmond emphasizes that fostering a culture of security within development teams requires more than mandates; it requires making security enjoyable, relatable, and integrated into everyday workflows. His team succeeded in doing this by gamifying security education, using tools like Secure Code Warrior and rewarding engagement through badges and progression levels. 

He highlights that success came not from reducing all vulnerabilities, which is unrealistic, but from increasing awareness and the quality of mistakes, showing developers were thinking differently. He reflects on how developers often feel overwhelmed by being expected to handle too many responsibilities and how security is usually seen as “one more ball to juggle.” 

He stresses the importance of empathy between security and engineering teams and the need to align both sides’ goals—speed and safety. He argues that security should be embedded into the development lifecycle, ideally starting in the IDE, and not as a separate post-development step. 

Desmond critiques the disconnect in how security severity is communicated, suggesting numeric likelihood scores and real-world examples would be far more effective than vague labels. He believes security tools themselves should surface this context automatically to assist both security and development teams. 

For those new to secure coding, he recommends gamified platforms like OWASP Juice Shop and Hack The Box, and shares that his proudest milestone was leading a threat modeling session as part of a specialty-level badge. 

Looking forward, he aims to learn how to build AI-powered tools to automate offensive security tasks. He closes by recommending the book Who Moved My Cheese? for its insights into personal change, which he sees as essential for embracing security as part of an engineer’s role.



Comments

Post a Comment

Popular posts from this blog

Secure Vibe Coding Guide: Best Practices for Writing Secure Code

Ken Huang's "Secure Vibe Coding Guide" emphasizes the importance of integrating security into the software development lifecycle. The guide provides best practices for writing secure code, including input validation, proper authentication mechanisms, and secure data storage techniques. It also highlights the necessity of regular code reviews and staying updated with the latest security vulnerabilities and patches. By following these guidelines, developers can create applications that are resilient against common security threats and contribute to a safer digital environment.  https://kenhuangus.substack.com/p/secure-vibe-coding-guide
Read more

KEVIntel: Real-Time Intelligence on Exploited Vulnerabilities

KEVIntel is a dynamic platform providing up-to-date information on known exploited vulnerabilities (KEVs). It aggregates data from over 50 public sources, including CISA, and enriches each entry with metadata such as EPSS scores, online mentions, scanner inclusion, and exploitation status. The platform aims to serve as an early warning system, offering insights even before official publications. KEVIntel supports various formats like JSON, CSV, and RSS, facilitating integration into security operations. These entries include CVSS scores, exploit status, and links to proof-of-concept code, aiding organizations in prioritizing remediation efforts.   https://kevintel.com/
Read more

OWASP SAMM Skills Framework Enhances Software Security Roles

The OWASP SAMM Skills Framework, introduced on February 9, 2025, is a new initiative donated by Siemens to enhance software security practices within organizations. This framework assigns specific responsibilities to SAMM (Software Assurance Maturity Model) streams, clarifying which roles are involved in advancing each stream. It provides guidance on the necessary skills and training for each role, aligning SAMM-related activities with appropriate stakeholders and their required competencies. This alignment helps organizations identify the right personnel and visualize shared responsibilities, ensuring a structured approach to secure product development. Implementing the OWASP SAMM Skills Framework involves several key steps. Organizations must first map responsibilities to roles, ensuring each task is assigned to the right individual. Next, they must evaluate and align stakeholders with specific SAMM streams, validating that those assigned understand and accept their roles in advanci...
Read more