it's even worse than that. semgrep wouldn't even discover the earlier mentioned problems in Huawei code, which purpose explicitly was to evade static analysis tools. They could pack all their calls to strlcpy (wrapping strcpy & friends) into a separate lib that is outside the scope of the security audit.
what makes this article still great IMO is:
1) the shout-out to the Huawei security problems which are not because we're dealing with a hostile malicious adversary with a strategy to change the channel frequency of 5G towers in a theater of war and fry our citizens brains[1] but because nobody even needs a malicious supply chain implants when you're dealing with poor quality code.
2) an accurate picture of why DevSecOps isn't a thing. Shoft-Left is a fools errand when most companies promote the experienced people who would be suited for a birds-eye-view / full-stack role, into management.
albeit both points were probably not the intention of the author.
what makes this article still great IMO is:
1) the shout-out to the Huawei security problems which are not because we're dealing with a hostile malicious adversary with a strategy to change the channel frequency of 5G towers in a theater of war and fry our citizens brains[1] but because nobody even needs a malicious supply chain implants when you're dealing with poor quality code.
2) an accurate picture of why DevSecOps isn't a thing. Shoft-Left is a fools errand when most companies promote the experienced people who would be suited for a birds-eye-view / full-stack role, into management.
albeit both points were probably not the intention of the author.
[1] https://en.wikipedia.org/wiki/Ghost_Fleet_(novel)