I am utterly confused at how you think rewriting entire libraries have less security holes than battle-hardened libraries that 1000s of other people use.
- Generating your own left pad means you don't have to pull in an external left pad
- Which in turn means left pad doesn't show up on your SBOM
- Which in turn means CVEs won't show up for left pad when you run your SBOM through through SCA
- Which means you don't have to do any CVE triage, risk analysis, and mitigation (patching) for left pad
- It also means you don't have to do SOUP testing for left pad
Now imagine you've done that for a dozen libraries that you are only using a small piece of. That's a ton of regulatory and cybersecurity work you've saved yourself. I never claimed generating code makes your software more secure, I claimed it can reduce the regulatory and cybersecurity burden on your SDLC, which it does as demonstrated above. Taken to the extreme (0 external dependencies), your regulatory burden for SOUP and SCA goes to zero.
umvi|25 days ago
- Which in turn means left pad doesn't show up on your SBOM
- Which in turn means CVEs won't show up for left pad when you run your SBOM through through SCA
- Which means you don't have to do any CVE triage, risk analysis, and mitigation (patching) for left pad
- It also means you don't have to do SOUP testing for left pad
Now imagine you've done that for a dozen libraries that you are only using a small piece of. That's a ton of regulatory and cybersecurity work you've saved yourself. I never claimed generating code makes your software more secure, I claimed it can reduce the regulatory and cybersecurity burden on your SDLC, which it does as demonstrated above. Taken to the extreme (0 external dependencies), your regulatory burden for SOUP and SCA goes to zero.