Various insights

1. Engineering Practices & Team Dynamics:

   • Small engineering teams can produce high-quality products.
   • Simple solutions often outperform clever, over-engineered ones.
   • Quick turnarounds on fixing vulnerabilities usually correlate with overall engineering excellence.
   • There’s always at least one closet security enthusiast among the software engineers.

2. Security Audit Observations & Techniques:

   • Highest impact findings come early and late in the audit process.
   • Monorepos are easier to audit than multi-repos.
   • Custom fuzzing techniques can be surprisingly effective.
   • Acquisitions introduce complexity in security audits.

3. Trends in Software Security & Development:

   • Secure coding practices have improved over the last decade.
   • Secure-by-default features in modern frameworks have significantly improved security.
   • Business logic flaws, while rare, can be devastating.
   • Dependency libraries introduce a significant security challenge.

4. Common Vulnerabilities & Misconceptions:

   • The most severe security vulnerabilities are often glaringly obvious.
   • Deserialization of untrusted data is a major risk.
   • JWT tokens and webhooks are frequently misconfigured.
   • MD5 is still in use, but often not for security-critical tasks.

5. Impact & Exploitation Considerations:

   • Discoverability is a crucial factor in assessing the real-world impact of a vulnerability.
   • Security flaws in foundational libraries can have wide-reaching consequences.

Page last modified: 2023-09-21 09:49:25