本文由 AI 分析生成
建立時間: 2026-03-28 來源: https://kenkantzer.com/learnings-from-5-years-of-tech-startup-code-audits/
Summary
Ken Kantzer’s 16-lesson retrospective from 20+ code audits at Series A/B startups. Key meta-finding: simple architectures correlated with both better security AND business success; complex microservice architectures were the biggest “foot-gun.” Covers audit ergonomics, vulnerability patterns, and security evolution over the last decade.
Ken Kantzer 從 20 多次 A/B 輪初創公司代碼審計中總結的 16 條教訓。關鍵元發現:簡單架構與更好的安全性和業務成功均相關;複雜的微服務架構是最大的「自殘槍」。涵蓋審計工效學、漏洞模式和過去十年的安全演進。
Key Points
- Simple outperformed smart: startups with “Keep It Simple” engineering are now crushing their markets; premature microservices/distributed architectures were the main foot-gun
- Worst vulnerabilities were obvious: most critical findings were easy to discover (Uber-style token-in-response), not clever exploits — “discoverability is everything in actual exposure”
- Secure-by-default frameworks dramatically improved security: React’s HTML escaping, serverless stacks removing OS/webserver configuration — frameworks doing security by default beat developer vigilance
- Monorepos are easier to audit: single codebase, no version divergence across repos
- Never deserialize untrusted data: PHP deserialization vulnerabilities were consistently severe; JSON over custom serialization always
- JWT/webhook auth almost always wrong on first try: JWT expiry on logout, webhook request authentication commonly missed
- Custom fuzzing surprisingly effective: hours-efficient for finding auth/API bugs even on large codebases
- Vulnerable dependency chains in npm were “not auditable” — Log4j vindicated the concern
- Business logic flaws rare but catastrophic when found; smart contracts show human error in formally verified systems
Insights
The correlation between simple architectures and startup success is consistent with the “In Defense of Simple Architectures” evidence — complexity has organizational costs that compound over time. The “discoverability” framing for security impact is underused in practice: vulnerability scoring (CVSS) weights exploitability, but Kantzer’s argument is that real-world hackers are lazy and target the easiest path. The secure-by-default observation has policy implications: mandating framework adoption (Rails, React, Django) does more for security than training developers. The JWT/webhook finding is a specific, actionable red flag for any API audit.
Connections
Raw Excerpt
Simple Outperformed Smart. The startups we audited that are now doing the best usually had an almost brazenly ‘Keep It Simple’ approach to engineering. The major foot-gun that got a lot of places in trouble was the premature move to microservices, architectures that relied on distributed computing, and messaging-heavy designs.