BSidesLuxembourg 2026

“We requested a review from security a month ago and there’s no feedback.” Does this sound familiar to you? Maybe you’ve heard that your security team is occupied with other tasks that are “higher priority” and your product is just not. “Nothing we can do, security is an expert’s job.” Or maybe you simply don’t have any dedicated security team in your company. So, your hands are bound and you can’t do anything anyways, right?

What if you could, though? What if you could do a lot more than you might think to make your software more secure? What if you could save time and effort by taking security into your own hands?

In this talk, we’ll go through several activities that you might already do right now, and demonstrate how you can shape these to improve your product’s security posture. Let’s take a few examples: when you’re analyzing the next product changes, you can use threat modeling to also consider potential security issues and hence plan their implementation with security in mind. Collaborating across roles on developing the changes can help you detect security flaws before they make it to production. Investing in maintenance and reducing technical debt will at the same time make your product a less attractive target. When observing production, you can spot malicious actors probing your system enabling you to respond before harm is done.

If you apply good software development practices, they help you make your product more secure, and good security practices help you make software that provides more value and less harm. With and without an expert at hand.

Key learnings:
- Stop waiting for dedicated security experts and start acting yourself
- Understand how good software development practices support security practices and vice versa
- Gain insights on what an engineering team can do themselves to build secure enough products
- Learn how to use this newly found leverage of benefits on all sides when prioritizing which changes and activities to invest in