5s51! |
Learnings from 5 years of tech startup code audits - Ken Kantzer's Blog
https://kenkantzer.com/learnings-from-5-years-of-tech-startup-code-audits/
Saved on 2022-05-28 [19140 edays] via kenkantzer.com
Modified 2023-09-12 [19612 edays]
cybersecurity technology
https://kenkantzer.com/learnings-from-5-years-of-tech-startup-code-audits/
Saved on 2022-05-28 [19140 edays] via kenkantzer.com
Modified 2023-09-12 [19612 edays]
cybersecurity technology
- You don’t need hundreds of engineers to build a great product.
- Simple Outperformed Smart.
- Our highest impact findings would always come within the first and last few hours of the audit.
- Writing secure software has gotten remarkably easier in the last 10 years.
- All the really bad security vulnerabilities were obvious.
- Secure-by-default features in frameworks and infrastructure massively improved security.
- Monorepos are easier to audit.
- You could easily spend an entire audit going down the rabbit trail of vulnerable dependency libraries.
- Never deserialize untrusted data.
- Business logic flaws were rare, but when we found one they tended to be epically bad.
- Custom fuzzing was surprisingly effective.
- Acquisitions complicated security quite a bit.
- There was always at least one closet security enthusiast amongst the software engineers.
- Quick turnarounds on fixing vulnerabilities usually correlated with general engineering operational excellence.
- Almost no one got JWT tokens and webhooks right on the first try.
- There’s still a lot of MD5 in use out there, but it’s mostly false positives.