Looking for vulnerabilities is the last thing I do

There's a common misconception among developers that my job, as a (application) Security Engineer, is to just search for security bugs in their code. They may well have seen junior security engineers doing this kind of thing. But, although this can be useful (and is part of the job), it's not what I focus on and it can be counterproductive. Let me explain.

http://neilmadden.blog/2026/02/20/looking-for-vulnerabilities-is-the-last-thing-i-do/