A story I told today: Have you ever gone to a club/concert and gotten a hand stamp? And in the morning, you forget and do the typical cleaning in the shower, then as you dry yourself, you notice that the stamp is still there because you didn’t give it necessary extra attention?
A lot of people’s behaviors are like this. You shower to get clean. And the typical shower gets the job done reasonably well. But you went in there to GET CLEAN. So that you didn’t clean the stamp is a shower failure. Merely going through the practiced motions isn’t enough.
Application security is like this, too. You can’t simply go through the motions and catch the unexpected. The unexpected is BY NATURE atypical. You have to enter appsec not (just) thinking about a list of typical things to look for, but having a holistic security mentality.
In the shower example, it’s not really our nature to be atypically observant all of the time. It’s actually HARD as humans to do this; we biologically optimize against it. When enacting security practices, we can’t rely on simple scripts and checklists to get us by.
My point here is that if you’re doing appsec, you need the tools, training, and social support to put yourself in that difficult mental model of looking for some unexpected dirt/ink/vulnerability in every shower — and still find none 99% of the time.