• Codex
    link
    37 months ago

    But then I decided, I wrote my own solution, a thing of 1,600 lines of code, which is, yeah, it’s like thousands of times less than the competition.

    And it works. It’s very popular. … I got 100 emails from people saying that it’s so nice that someone wrote a small piece of software that is robust, does not have dependencies, you know how it works.

    But the depressing thing is, some of the security people in the field, they thought it was a lovely challenge to audit my 1,600 lines of code. And they were very welcome to do that, of course. And they found three major vulnerabilities in there.

    He makes a ton of excellent points, but the succinct impact of this little example really hit for me. As someone who often rewrites things so that I can both understand and fully trust in what I’m depending on, it’s always good to be reminded that you literally can’t write 500 lines of code without a good chance of introducing a major vulnerability.

    The tech stack is so dizzyingly high today, and with so many interlocking parts, it continually amazes me that anything at all functions even in the absence of hostile actors.