Most developers build features with some basic assumptions in mind.

They assume:
• users will follow the correct steps
• one user will only access their own data
• requests will come from the UI
• things will be used the “right” way

Attackers think differently.

They try:
• skipping steps
• changing order
• repeating actions
• using someone else’s data
• sending requests the UI never sends

Bugs usually appear where these two mindsets clash.

If you test a feature only the way it’s supposed to be used, you’ll miss a lot.

If you test it the way it can be misused, things get interesting.

How do you usually approach a new feature?
Curious to hear different ways of thinking.