Drew Reinig makes a very interesting point: “If Mythos continues to find exploits so long as you keep throwing money at it, security is reduced to a brutally simple equation:to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them.”
Here, I want to qualify this statement with an angle that’s actionable for new organizations and small teams: from a security perspective, the system size/complexity is more important than before. A system of three thousand lines of code will have less bugs than a system with ten thousand. The relation is probably superlinear (so that 3x the line count is perhaps 10x the bug count). This was true before AI entered the exploit scene. But with exploits now being AI generated, it’s more valuable to have a small system, because there’s less surface area to secure.
Drew mentions popular open source projects as being a better alternative than homespun code, since it’s more hardened. I would emphasize the use of simple, well-written open source projects, since those are the ones that will have less bugs to start with (and hardened by public scrutiny, to boot). Perhaps the metric to look for in libraries is simply the size of the code (including its dependencies, and the dependencies of its dependencies).