The holiday season is a good time to reflect on an organization's security practices and ask if they are putting the company on the "security naughty or nice" list. This can be determined by whether the organization takes a holistic approach to securing its environment, such as conducting an application security gap analysis, or if it prioritizes security fixes based solely on their CVSS score. Additionally, organizations should be cautious of relying on AI tools without proper checks and balances, such as using sensitive data to write AI prompts or assuming that AI-generated code is well-written and secure. By taking a risk-based approach to application security posture management and using developer-friendly security tooling, organizations can ensure they are on the "security nice" list.