2022-11-02 ◦ Learnings from 5 years of tech startup code audits - Ken Kantzer’s Blog I like No. 13:

There was always at least one closet security enthusiast amongst the software engineers. It was always surprising who it was, and they almost always never knew it was them!

The full list:

• 1 You don’t need hundreds of engineers to build a great product
  • that, years later, are crushing their markets.
• 2 Simple Outperformed Smart
• 3 Our highest impact findings would always come within the first and last few hours of the audit
• 4 Writing secure software has gotten remarkably easier in the last 10 years
• 5 All the really bad security vulnerabilities were obvious
• 6 Secure-by-default features in frameworks and infrastructure massively improved security
• 7 Monorepos are easier to audit
• 8 You could easily spend an entire audit going down the rabbit trail of vulnerable dependency libraries
• 9 Never deserialize untrusted data
• 10 Business logic flaws were rare, but when we found one they tended to be epically bad
• 11 Custom fuzzing was surprisingly effective
• 12 Acquisitions complicated security quite a bit
• 13 There was always at least one closet security enthusiast amongst the software engineers
• 14 Quick turnarounds on fixing vulnerabilities usually correlated with general engineering operational excellence
• 15 Almost no one got JWT tokens and webhooks right on the first try
• 16 There’s still a lot of MD5 in use out there, but it’s mostly false positives