Security has never been a solved problem, but the 2025 OWASP Top 10 makes one thing clear: the rules have shifted again. AI is writing code at scale; developers are vibe-coding to production; and the data that trained those models came from an internet where security was largely optional. The result is a new generation of software that looks like it works, until it doesn’t.
Tanya Janca, Secure Coding Trainer at She Hacks Purple Consulting and lead author of the 2025 OWASP Top 10, joins us this week on the VIA Knowledge Hub podcast. She has spent years training developers at large enterprises, and what she’s seeing right now should concern anyone shipping software in 2026.
In this conversation, Tanya breaks down the vulnerabilities that matter most right now, why AI is making some of them significantly worse, and what developers can actually do about it starting today. She also shares her live training example of AI-generated code hiding its own security failures, and makes the case that developers themselves have become the new high-value target.
Topics Covered
00:00 - Introduction
02:00 - What is The OWASP Top 10 and why does the 2025 update matter?
03:30 - Broken access control explained, and why it stays at number one
05:30 - AI trained on unsecured data, and what it learned about security
07:20 - Speed pressure, vibe coding, and the widening gap between developers and security teams
08:15 - Real-world vibe coded breaches and the logging and alerting problem
12:35 - Deterministic vs. probabilistic code and the case for rigorous code review
15:45 - Why code review is the new secure coding
18:25 - Prompt injection in AI systems, explained from first principles
21:10 - Threat modeling for agentic workflows: Adam Shostack’s four question threat modeling framework
23:00 - Are teams actually defending against prompt injection today?
27:35 - Are developers equipped to defend themselves from social engineering and targeting?
29:50 - The DevSec Station podcast: 5-minute training episodes
32:55 - Tanya teaches her book, “Alice and Bob Learn Secure Coding” for free, every month
About Tanya Janca
Tanya Janca, known online as SheHacksPurple, is the best-selling author of Alice and Bob Learn Secure Coding and Alice and Bob Learn Application Security. She is the CEO of She Hacks Purple Consulting, where she delivers high-impact, live, secure-coding training for engineering teams. She is also the host of DevSec Station Podcast.
Over 29 years in the industry Tanya has received numerous awards, spoken at events worldwide, and built a reputation as one of the most approachable and influential voices in application security. She has trained thousands of developers and security practitioners through her academies and live programs. Her experience includes counter-terrorism work, leading security for the 42nd Canadian federal election, as well as building and securing a vast range of applications. Today, she is recognized internationally as a leading authority on the security of software
Connect with our guest Tanya Janca: LinkedIn
