The Changelog: Software Development, Open Source

Lessons from 5 years of startup code audits (Interview)

4 snips

Jun 24, 2022

Ken Kantzer, co-founder of PKC Security, shares insights from over 20 code audits he and his team conducted on startups. He discusses the surprising connection between team size and product quality, emphasizing the importance of external perspectives. The conversation highlights a shift toward simpler engineering practices, the evolution of security methods in development, and navigating open-source security challenges. Ken also warns about flawed business logic in software and shares lessons learned from the fast-paced world of startups.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Easier Security

Writing secure software is easier now due to increased open-source usage and developer security awareness.
Frameworks and libraries fix bugs, and developers are more security-conscious.

INSIGHT

Obvious Vulnerabilities

The most impactful security vulnerabilities are often obvious and easy to exploit.
This contradicts the notion that hackers always use complex, unpredictable methods.

ADVICE

Monorepo Advantages

Use monorepos for easier auditing and improved developer ergonomics.
Consolidating code simplifies searching, dependency tracking, and overall code management.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Adam and Jerod are joined by Ken Kantzer, co-founder of PKC Security. Ken and his team performed upwards of 20 code audits on well-funded startups. Now that it’s 7 or 8 years later, he wrote up 16 surprising observations and things he learned looking back at the experience. We gotta discuss ’em all!

Join the discussion

Changelog++ members save 6 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

Sentry – Working code means happy customers. That’s exactly why teams choose Sentry. From error tracking to performance monitoring, Sentry helps teams see what actually matters, resolve problems quicker, and learn continuously about their applications - from the frontend to the backend. Use the code CHANGELOG and get the team plan free for three months.
InfluxData – The time series platform for building and operating time series applications — InfluxDB empowers developers to build IoT, analytics, and monitoring software. It’s purpose-built to handle massive volumes and countless sources of time-stamped data produced by sensors, applications, and infrastructure. Learn more at influxdata.com/changelog
Honeycomb – Guess less, know more. When production is running slow, it’s hard to know where problems originate: is it your application code, users, or the underlying systems? With Honeycomb you get a fast, unified, and clear understanding of the one thing driving your business: production. Join the swarm and try Honeycomb free today at honeycomb.io/changelog
Sourcegraph – Transform your code into a queryable database to create customizable visual dashboards in seconds. Sourcegraph recently launched Code Insights — now you can track what really matters to you and your team in your codebase. See how other teams are using this awesome feature at about.sourcegraph.com/code-insights

Featuring:

Ken Kantzer – Website, GitHub, X
Adam Stacoviak – Website, GitHub, LinkedIn, Mastodon, X
Jerod Santo – Website, GitHub, LinkedIn, Mastodon, X

Show Notes:

Something missing or broken? PRs welcome!