📚 Tom's Notes

Search

SearchSearch

CTO - Results of code audits

Jan 22, 20251 min read

CTO - Results of code audits

[InfoSec] [Audit] [CTO]

  • You don’t need hundreds of engineers to build a great product
  • Simple Outperformed Smart
  • Writing secure software has gotten remarkably easier in the last 10 years
  • All the really bad security vulnerabilities were obvious
  • Secure-by-default features in frameworks and infrastructure massively improved security
  • Monorepos are easier to audit
  • You could easily spend an entire audit going down the rabbit trail of vulnerable dependency libraries
  • Never deserialize untrusted data
  • Business logic flaws were rare, but when we found one they tended to be epically bad
  • Custom fuzzing was surprisingly effective
  • Acquisitions complicated security quite a bit
  • There was always at least one closet security enthusiast amongst the software engineers
  • Quick turnarounds on fixing vulnerabilities usually correlated with general engineering operational excellence
  • Almost no one got JWT tokens and webhooks right on the first try
  • There’s still a lot of MD5 in use out there, but it’s mostly false positives

https://kenkantzer.com/learnings-from-5-years-of-tech-startup-code-audits/

Graph View

Backlinks

  • No backlinks found