Knowing the Code
Thursday, 4th June 2026
It always surprises me how many current issues seem to be related to the past, and makes me wonder - "How did we not see this coming?". Which, in turn, reminds me of a now famous quote from Steve Jobs' 2005 Stanford commencement speech.
You can't connect the dots looking forward; you can only connect them looking backwards. So you have to trust that the dots will somehow connect in your future.
-- Steve Jobs
This was a very positive and inspiring speech from Steve, and I'm not taking anything away from that. However, sometimes you look backwards at those dots, and you can help but think to yourself: "Oh fuck!".
In the last few days, seemingly independent articles have been drawn to my attention. First Troy Hunt published an blog post about adding the 1,000th data breach to HIBP, and a colleague shared a link to the Zero Day Clock. These two articles triggered a bit of looking backwards.
The first one reminded me of an article I wrote in 2020 when I was in the very early stages of launching a new side-project. Specifically (and I feel a bit weird about quoting myself), I said:-
I believe we need a fundamental change in attitude towards software from both creators and consumers of it.
-- Me
At the time, I was talking about the expectation from consumers that software is free and somehow developers just magically get paid and that from the business/creators side that they probably don't need all the data they are collecting.
The second reminded me of an even earlier article. In 2018, I wrote about issues with frameworks. Although even back then I did make some mention to supply-chain attacks and security, the main motivation for the article was having been working on a client's project for a few weeks and had a discussion with existing developers revealing they didn't know how a particular bit of code worked but were quite content that "the framework just handled it".
The two quotes I had in that article in 2018 seem as relevant today as they were back then:
It's well worth your time to directly own and completely understand the most critical code in your infrastructure
-- Shawn McCool
At 51 years of age, I simply can't abide the "don't waste time understanding, just use a framework" mindset of today's coders, and yet I no longer have the patience to try to explain the problem. Knock yourselves out kids, and get off my lawn!
-- Tony Miller
For well over a decade now I have first-hand witnessed the decline of Software Engineers.
A large number of So-called "Developers" would be more accurately categorised as "Framework users". They are masters of npm install and know off the top of their head which packages do what. Unfortunately, they don't fully understand the actual software!
Although at the time of writing, neither of those articles was focussed on supply-chain attacks, looking back and connecting the dots, we can see the road that leads us to where we are today. In 2026, the software supply chain has become the primary attack vector for cybercriminals and state-sponsored groups. Why bother trying to crack the front lock when the back door is held in place with Blu-Tack!
As an industry, we have to change.
Organisations need to demand transparency in software supply chains. Regardless of whether they have internal development teams or rely on external contractors or vendors. This isn't to say that they have to have the in-house knowledge to audit software, but they should at least be requiring some evidence that some level of auditing has taken place.
Software engineers need to stop blindly pulling in thousands of lines of dependency code via package managers without any kind of process to understand exactly what that code is doing and where it comes from. It is more than likely that your dependencies have dependencies, and those dependencies have dependencies. It can get very complex, quickly. That is not an excuse to ignore the issue, though.
Know the code!