2 Comments

more lines of code more vulnerability & larger the codebase bigger the attack surface.

Expand full comment
author

It may be true that "more lines of code more vulnerability & larger the codebase bigger the attack surface", the question is what does this insight enable us to do. Can we just write less software? Not really. Can we magically fix all security gaps? I think we would if we could.

Most of the time software engineers get it right. Most security practitioners can't code at all, let alone code securely, or offer specific help in identifying (and fixing!) the insecure bits. relying on tools to identify things and throwing them over at engineers is not really "doing security". I think the same logic applies here as when people are blamed for clicking links. There need to be systems in place to catch issues and things need to be architected in such way that the whole company doesn’t go down when an employee clicks on a link.

Jason Chan has a great idea of building guardrails and paved roads for engineers. It's an approach I think can make a difference. https://youtu.be/geumLjxtc54?si=Ny0OBP_0KAc8VVe9

Expand full comment