Notes from the Field — Practical AppSec Tactics

Tools are multipliers; tactics change outcomes.

Tactics

1. Treat logs as an interface. Design queries alongside features.

2. Budget time for negative tests (timeouts, 500s, retries).

3. Prefer deny-by-default routing; “allow list” is a mindset.

Shell hygiene

set -euo pipefail
IFS=$'\n\t'

curl -fsS https://service/health || { echo "down"; exit 1; }

JavaScript snippets

// Watch for accidental credential leaks in devtools
new MutationObserver(() => {
  performance.getEntriesByType('resource')
    .filter(r => /token|secret|key/i.test(r.name))
    .forEach(r => console.warn('Sensitive URL', r.name))
}).observe(document, {subtree:true, childList:true});

Security is a product quality, not just a gate.