Note this is by Jann Horn, the same Google security researcher who discovered Spectre/Meltdown. Serious props to this guy, and hopefully he stays in a whitehat role where he can find and deal with these issues through responsible disclosure.
I mean with 20 (while still in colleague), cure53 got already curious about Horn, which is quite crazy. (cure53 is one of german's best penetration/security company, they even analayze your software as a service, they actually pentested curl: https://cure53.de/pentest-report_curl.pdf, prometheus: https://cure53.de/pentest-report_prometheus.pdf and probably other high valuable software)
Perhaps people new to the codebase (or the industry, or to life in general) are less likely to view existing constructs as obviously correct, and therefore more likely to point out flaws.
I think you are right. It definitely takes more than that, but you can be the smartest guy in the world and you won't discover many vulnerabilities if you assume certain components are "hallowed ground".
Apparently he thought of the spectre-style vulnerabilities while through the Intel processor manuals[1]. How many established engineers would a) read through these reference manuals at all, and b) question the implementations described therein?
I think software is a young mans game. I think bugs like this take a lot of intense time and focus. As you get older you got other things to distract you like kids, wife, house etc.
I am a lot more careful now, as compared to the start of my career. I have a lot more experience with testing and by all metrics I can measure the code that I ship goes out with a much lower defect rate. I think it is just the reverse - I think software is an excellent profession to stick to for the long haul, because with even a moderate amount of effort you can improve tremendously over time.
