Comment by dm3
6 days ago
This approach to security is backwards. It's way harder to find security issues than to never include them in the first place. This approach might work for another webapp but I highly doubt a retroactive security analysis is practical for a more involved system.
Yeah. A lot of security issues are design issues, not "I reused a buffer for something else" issues.
Fixing design and/or architecture at a high level usually requires a signficant rewrite; sometimes even a switch in technology stacks.