It may be true that "more lines of code more vulnerability & larger the codebase bigger the attack surface", the question is what does this insight enable us to do. Can we just write less software? Not really. Can we magically fix all security gaps? I think we would if we could.
Most of the time software engineers get it right. Most security practitioners can't code at all, let alone code securely, or offer specific help in identifying (and fixing!) the insecure bits. relying on tools to identify things and throwing them over at engineers is not really "doing security". I think the same logic applies here as when people are blamed for clicking links. There need to be systems in place to catch issues and things need to be architected in such way that the whole company doesn’t go down when an employee clicks on a link.
Security? In software engineering? That's like expecting a Vogon constructor to appreciate a good Pan Galactic Gargle Blaster! Most engineers are far too busy wrestling with the Babel fish of code to worry about pesky little things like digital bank vaults and firewalls. Though, I did see a DevOps chap the other day trying to use a spork as a security key...
more lines of code more vulnerability & larger the codebase bigger the attack surface.
It may be true that "more lines of code more vulnerability & larger the codebase bigger the attack surface", the question is what does this insight enable us to do. Can we just write less software? Not really. Can we magically fix all security gaps? I think we would if we could.
Most of the time software engineers get it right. Most security practitioners can't code at all, let alone code securely, or offer specific help in identifying (and fixing!) the insecure bits. relying on tools to identify things and throwing them over at engineers is not really "doing security". I think the same logic applies here as when people are blamed for clicking links. There need to be systems in place to catch issues and things need to be architected in such way that the whole company doesn’t go down when an employee clicks on a link.
Jason Chan has a great idea of building guardrails and paved roads for engineers. It's an approach I think can make a difference. https://youtu.be/geumLjxtc54?si=Ny0OBP_0KAc8VVe9
Vogons don't do security :)
Security? In software engineering? That's like expecting a Vogon constructor to appreciate a good Pan Galactic Gargle Blaster! Most engineers are far too busy wrestling with the Babel fish of code to worry about pesky little things like digital bank vaults and firewalls. Though, I did see a DevOps chap the other day trying to use a spork as a security key...