frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Time Spent on Hardening

https://third-bit.com/2025/09/18/time-spent-on-hardening/
30•mooreds•2h ago

Comments

esafak•1h ago
Given his experience, I'm surprised that the author is surprised that companies don't know how much time they spend on hardening. Nobody gets paid to do that unless necessary for compliance; companies prefer to build features, and don't track this stuff. Don't even think about asking them to quantify the benefit of hardening.

https://www.wiley.com/en-us/How+to+Measure+Anything+in+Cyber...

actionfromafar•1h ago
It is pretty unknowable.
mathattack•24m ago
I'm huge into measurement, and quantifying this has stumped me. It's one of the few areas I'm willing to surrender and say "Let's just pick a % of time to put on it."

It's bad to say "Let's give it to folks who are underutilized or have capacity" because those are rarely the people who can do it well.

All I can come up with is the hardening % should be in proportion to how catastrophic a failure is, while keeping some faith that well done hardening ultimately pays for itself.

Philip Crosby wrote about this in manufacturing as "Quality is Free" https://archive.org/details/qualityisfree00cros

c2h5oh•1h ago
The time spend on hardening software is always zero or very close to that unless the company makes that hardening a selling point of the product they make.

In the world of VC powered growth race to bigger and bigger chunk of market seems to be the only thing that matters. You don't optimize your software, you throw money at the problem and get more VMs from your cloud provider. You don't work on fault tolerance, you add a retry on FE. You don't carefully plan and implement security, you create a bug bounty.

It sucks and I hate it.

jmclnx•1h ago
Depends upon the software.

I find valgrind easy on Linux and ktrace(1) on OpenBSD easy to use. I do not spend much time, plus I find testing my items on Linux, OpenBSD and NetBSD tends to find most issues without a lot of work and time.

c2h5oh•52m ago
This is not a "companies don't spend enough time with static and dynamic analysis of their software" problem, it's "less than a third of companies I worked or consulted for in the past 20 years mandated having input validation of any kind" problem.
esafak•1h ago
Then you'll get hacked or have an outage, and unless you're a monopoly it will cost you. But will the people who made poor decisions be held accountable?

You can do a decent hardening job without too much effort, if follow some basic guidelines. You just have to be conscientious enough.

c2h5oh•1h ago
I was once told to stop wasting time submitting PRs adding null checks on data submitted via a public API. You know, the kind of checks that prevented said API from crashing if a part of payload was missing. I was told to stop again with my concerns dismissed when I pointed similar things out during code review. I left that company not long after, but it's still around with over a quarter of a billion in funding.

I would love to say that this was an exception during almost 20 years of my professional career, but it wasn't. It was certainly the worst, but also much closer to average experience than it should have been.

juancn•53m ago
Also, depending on the system, time spent on hardening is many times happening concurrently with some other tasks.

Maybe you trigger a load test, or run a soaking test or whatever, while that runs you do something else, pause and check results, metrics, logs, whatever.

If something is funky, you may fix something and try again, get back to your other task and so on.

It's messy, and keeping track of that would add significant cognitive load for little gain.

jimmyl02•48m ago
This metric is typically tracked internally and probably wouldn't be as public because it could indicate how "buggy" a product is. An easy way to measure this is time spent taking incidents from open -> mitigated -> resolved and treating that as time spent * engineers for amount of impact.

The tricky part would be measuring time spent on hardening and making the business decision on how to quantify product features vs reliability (which I know is a false tradeoff because of time spent fixing bugs but still applies at a hand wavy level)

walterbell•47m ago
Why does Nvidia have 50%+ margins on hardware that is price segmented by software/firmware, e.g. Ada (!) in RISC-V security chip? Because their license enforcement has been hardened. How much did 50% margin contribute to 4T valuation?

Feedmaker: URL + CSS selectors = RSS feed

https://feedmaker.fly.dev
23•mustaphah•1h ago•3 comments

Ask HN: Has anyone else been unemployed for over two years?

173•ncarlson•1h ago•106 comments

An untidy history of AI across four books

https://hedgehogreview.com/issues/lessons-of-babel/articles/perplexity
66•ewf•4h ago•23 comments

Ants that seem to defy biology – They lay eggs that hatch into another species

https://www.smithsonianmag.com/smart-news/these-ant-queens-seem-to-defy-biology-they-lay-eggs-tha...
282•sampo•9h ago•86 comments

R MCP Server

https://github.com/finite-sample/rmcp
48•neehao•2d ago•5 comments

Show HN: WeUseElixir - Elixir project directory

https://weuseelixir.com/
39•taddgiles•1h ago•5 comments

Three-Minute Take-Home Test May Identify Symptoms Linked to Alzheimer's Disease

https://www.smithsonianmag.com/smart-news/three-minute-take-home-test-may-identify-symptoms-linke...
32•pseudolus•3h ago•3 comments

The Economic Impacts of AI: A Multidisciplinary, Multibook Review [pdf]

https://kevinbryanecon.com/BryanAIBookReview.pdf
29•cjbarber•2h ago•10 comments

Time Spent on Hardening

https://third-bit.com/2025/09/18/time-spent-on-hardening/
30•mooreds•2h ago•11 comments

Your very own humane interface: Try Jef Raskin's ideas at home

https://arstechnica.com/gadgets/2025/09/your-very-own-humane-interface-try-jef-raskins-ideas-at-h...
41•zdw•4h ago•0 comments

Internet Archive's big battle with music publishers ends in settlement

https://arstechnica.com/tech-policy/2025/09/internet-archives-big-battle-with-music-publishers-en...
236•coloneltcb•3d ago•98 comments

Ruby Central's Attack on RubyGems [pdf]

https://pup-e.com/goodbye-rubygems.pdf
558•jolux•14h ago•172 comments

Kernel: Introduce Multikernel Architecture Support

https://lwn.net/ml/all/20250918222607.186488-1-xiyou.wangcong@gmail.com/
75•ahlCVA•6h ago•12 comments

Show the Physics

https://interactivetextbooks.tudelft.nl/showthephysics/Introduction/About.html
125•pillars•3d ago•7 comments

How to waste CPU like a Professional

https://mostlynerdless.de/blog/2025/09/19/how-to-waste-cpu-like-a-professional/
8•tanelpoder•1h ago•1 comments

Revamping an Old TV as a Gift (2019)

https://blog.davidv.dev/posts/revamping-an-old-tv-as-a-gift/
49•deivid•7h ago•21 comments

YouTube downloaders (and how Google silenced the press)

https://windowsread.me/p/best-youtube-downloaders
121•Leftium•10h ago•35 comments

Safepoints and Fil-C

https://fil-c.org/safepoints
54•matt_d•3d ago•24 comments

Tonemaps

https://mini.gmshaders.com/p/tonemaps
3•bpierre•1d ago•0 comments

Shipping 100 hardware units in under eight weeks

https://farhanhossain.substack.com/p/how-we-shipped-100-hardware-units
87•M_farhan_h•1d ago•47 comments

Trump to impose $100k fee for H-1B worker visas, White House says

https://www.reuters.com/business/media-telecom/trump-mulls-adding-new-100000-fee-h-1b-visas-bloom...
443•mriguy•2h ago•465 comments

I regret building this $3000 Pi AI cluster

https://www.jeffgeerling.com/blog/2025/i-regret-building-3000-pi-ai-cluster
381•speckx•7h ago•293 comments

Dynamo AI (YC W22) Is Hiring a Senior Kubernetes Engineer

https://www.ycombinator.com/companies/dynamo-ai/jobs/fU1oC9q-senior-kubernetes-engineer
1•DynamoFL•10h ago

Internal emails reveal Ticketmaster helped scalpers jack up prices, FTC says

https://arstechnica.com/tech-policy/2025/09/ticketmaster-intentionally-screwed-fans-out-of-billio...
245•dthread3•3h ago•102 comments

Nostr

https://nostr.com/
291•dtj1123•16h ago•263 comments

Dialing Up the Internet Phonebook

https://pketh.org/internet-phonebook.html
5•surprisetalk•1d ago•0 comments

The health benefits of sunlight may outweigh the risk of skin cancer

https://www.economist.com/science-and-technology/2025/09/17/the-health-benefits-of-sunlight-may-o...
164•petethomas•17h ago•152 comments

Statistical Physics with R: Ising Model with Monte Carlo

https://github.com/msuzen/isingLenzMC
99•northlondoner•13h ago•60 comments

Lethal Trifecta attack leaking private data in Notion AI agents

https://twitter.com/simonw/status/1969111931152634010
6•abirag•33m ago•1 comments

Frying Eggs and Air Quality Tests

https://chillphysicsenjoyer.substack.com/p/frying-eggs-and-air-quality-tests
60•crescit_eundo•3d ago•121 comments