Skip to content

Various insights

  1. Engineering Practices & Team Dynamics:

    • Small engineering teams can produce high-quality products.
    • Simple solutions often outperform clever, over-engineered ones.
    • Quick turnarounds on fixing vulnerabilities usually correlate with overall engineering excellence.
    • There’s always at least one closet security enthusiast among the software engineers.
  2. Security Audit Observations & Techniques:

    • Highest impact findings come early and late in the audit process.
    • Monorepos are easier to audit than multi-repos.
    • Custom fuzzing techniques can be surprisingly effective.
    • Acquisitions introduce complexity in security audits.
  3. Trends in Software Security & Development:

    • Secure coding practices have improved over the last decade.
    • Secure-by-default features in modern frameworks have significantly improved security.
    • Business logic flaws, while rare, can be devastating.
    • Dependency libraries introduce a significant security challenge.
  4. Common Vulnerabilities & Misconceptions:

    • The most severe security vulnerabilities are often glaringly obvious.
    • Deserialization of untrusted data is a major risk.
    • JWT tokens and webhooks are frequently misconfigured.
    • MD5 is still in use, but often not for security-critical tasks.
  5. Impact & Exploitation Considerations:

    • Discoverability is a crucial factor in assessing the real-world impact of a vulnerability.
    • Security flaws in foundational libraries can have wide-reaching consequences.

Page last modified: 2023-09-21 09:49:25