Codesurf Blog
Deep dives on AI review workflows, practical security posture, and faster engineering operations.
40% of AI-generated code contains exploitable vulnerabilities according to peer-reviewed research. This post examines the specific failure modes, why they survive review, and what a minimal check layer looks like.
Three real supply-chain attacks — xz utils (CVE-2024-3094), polyfill.io (110K+ sites), and event-stream (cryptocurrency theft) — and what they teach about dependency auditing that actually prevents incidents.
Most security audits produce shelfware. This post shows how to run audits grounded in real vulnerability patterns — with specific CVEs, attack chains, and a triage model that produces fixes instead of reports.
Architecture debt shows up as hesitation — files nobody wants to touch, changes that take 10x longer than expected, and onboarding that requires oral history. Here's how to find and fix the structural problems that slow teams down.
Teams that treat code quality as a taste preference never fix it. Teams that measure its impact on delivery speed fix it fast. Here's the measurement framework and the specific patterns that slow teams down most.
41% of code is now AI-generated. The speed is real. So is the 1.7x defect rate, the 45% security failure rate, and the supply chain attack that exploits hallucinated package names. Here's what the data actually says.