I've been writing software professionally since 2011. Java, C#, Kotlin, Node.js. Enterprise backends, microservices, APIs, data pipelines. I've shipped production code that millions of people have used without knowing it. I've led teams, reviewed architectures, mentored junior engineers, and done all the things that accumulate into what people call "senior software engineer." And yet, when I decided to transition into application security, I realised I had significant blind spots — not about how software works, but about how software fails . Specifically, how it fails in ways that attackers can exploit. This is the final article in a series about building a SAST scanner from scratch, embedding it in CI/CD pipelines, writing custom detection rules, and managing false positives. But it's really about what that whole process taught me about application security as a discipline — and what I wish I'd understood earlier. I Knew How to Write Secure Code. I Didn't Know Why It Was Secure.…