Get AI summaries of any video or article — Sign up free
Why Does Software Keep Breaking? thumbnail

Why Does Software Keep Breaking?

The PrimeTime·
5 min read

Based on The PrimeTime's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Software reliability drops sharply when programs depend on many external APIs and services whose compatibility can change over time.

Briefing

Software keeps breaking because modern systems depend on a long chain of external assumptions—APIs, frameworks, services, and layers of abstraction—that can change independently. Even if each dependency is “likely” to keep working for a year, the combined probability that everything still works drops fast as the number of calls grows. The result is a practical reality: maintaining software becomes less about building features and more about constantly repairing breakages.

A central point is quantified with a simple probability model. If a single external dependency has a 90% chance of remaining compatible after a year, then code that relies on multiple such dependencies becomes fragile quickly; the chance the whole system still works after time declines roughly exponentially with the number of dependencies. Even when assuming an unusually high per-API reliability—like 99%—the overall outlook still looks bad once software uses multiple services. The takeaway is not that one API is unreliable, but that typical software stacks are too interconnected for “mostly stable” to be stable in practice.

That fragility creates knock-on effects beyond annoyance. Developers feel like they’re drowning in constant churn: libraries evolve, services get deprecated or replaced, and teams spend time shuffling components to prevent collapse rather than doing satisfying engineering work. This also helps explain why AI coding tools are attractive—when the environment is punishing and repetitive, automation feels like relief. But the criticism is that AI is often being used to patch over a broken ecosystem rather than fixing the underlying causes of instability.

Security is framed as the most serious downstream risk. When systems change constantly, vulnerabilities spread through unfamiliar combinations of frameworks and services, and defenders struggle to know what to secure or even where the attack surface lives. A concrete example comes from an AI-assisted login flow: when asked about session security, the assistant suggested using JWTs, and the discussion highlights how easy it is to miss the right security questions unless someone already knows what to look for. In a world where AI-generated code is widely copied, the “where did this exploit come from?” problem becomes harder—unlike past framework vulnerabilities where the community can track and patch known issues, AI-produced patterns could embed weaknesses across many codebases without clear provenance.

The conversation also raises a strategic fear: cheaper software creation can increase the volume of malware and attacks. If AI reduces the cost of building code, it may also reduce the cost of building insecure or malicious code, intensifying the cat-and-mouse dynamic between exploit developers and defenders. Even if AI improves defensive coding, training and deployment cycles may lag behind attackers who can iterate faster.

Finally, there’s a more optimistic thread about education. AI can help learners by providing explanations and guidance, but the best learning outcomes may require AI tutors designed to avoid handing over complete answers—encouraging students to struggle productively, debug, and build understanding. The overall message is a balancing act: AI can reduce friction for learning and some engineering tasks, but the broader software ecosystem’s instability—and its security consequences—still demands serious attention.

Cornell Notes

Software breaks because modern programs rely on many external dependencies—APIs, services, and frameworks—that can change over time. A probability model shows that even high per-dependency “compatibility” rates (like 90% or 99% per API per year) lead to a steep drop in the chance that an entire multi-API system still works after time. That churn makes development feel like constant triage rather than building. The biggest concern is security: frequent change plus complex stacks make it hard to know what’s vulnerable, and AI-generated code could spread hidden weaknesses widely without clear tracking. AI tools may still help, especially for learning, if they guide rather than fully answer.

Why does a small chance of API breakage become a big problem for real software?

Because software typically depends on multiple external calls. If each dependency has a probability p of still working after a year, and the app makes n such calls/dependencies, the chance the whole system remains working scales like p^n (the conversation describes this as p to the x times n). With 90% per dependency, even a few dependencies make the overall reliability “dismal.” Even with an optimistic 99% per dependency, the combined probability still falls quickly as the number of APIs grows.

What practical effect does constant breakage have on developers?

It turns engineering into ongoing damage control. Developers spend time reacting to changes—framework behavior shifts, services get canceled, endpoints or contracts evolve—rather than building. The discussion frames this as feeling more like management or operations (“keep the house of cards from collapsing”) than programming, which reduces satisfaction and increases burnout.

How does the conversation connect software instability to security risk?

Frequent change and layered abstractions expand the attack surface and make it unclear what must be secured. Security depends on knowing the components and their known issues; when stacks are constantly shifting, defenders may not even know where vulnerabilities live. The example involving an AI-generated login flow illustrates how dangerous assumptions can be: if someone doesn’t know to ask for cryptographically signed verification (e.g., JWT-based protections), they might end up with a system that can be spoofed.

Why could AI-generated code make vulnerability tracking harder than with traditional frameworks?

With widely used frameworks, the community often knows what component is vulnerable and can patch quickly. With AI-generated code, similar insecure patterns could be produced and copied across many codebases, but without clear provenance. That means fewer people can identify the common source of an exploit, and defenders may not know how many systems contain the same weakness.

What fear is raised about AI lowering the cost of software creation?

If AI reduces the cost and effort of producing code, it may also reduce the cost of producing malware, DDoS tooling, and other malicious software. That could increase the volume of attacks, even if defensive tools improve. The conversation also notes that training/patch cycles may lag behind attackers who can iterate quickly, worsening the cat-and-mouse dynamic.

How does the discussion suggest AI could help learning without undermining it?

It argues that AI tutors are most useful when they guide rather than deliver full solutions. A “rabbi”-style approach—giving hints, pointing to concepts, and requiring the learner to work through the problem—can preserve learning value. The conversation contrasts this with generic assistants that can repeatedly provide complete answers, which may reduce productive struggle and debugging practice.

Review Questions

  1. In the probability model described, how does the number of external dependencies affect the likelihood that an app still works after a year?
  2. What security challenges arise when software relies on many changing frameworks and services?
  3. What design choice for AI tutoring would best support learning according to the discussion: full answers, hints, or something else—and why?

Key Points

  1. 1

    Software reliability drops sharply when programs depend on many external APIs and services whose compatibility can change over time.

  2. 2

    A simple model using per-dependency “still works” probabilities shows overall system success declines roughly exponentially with the number of dependencies.

  3. 3

    Constant breakage shifts developer time from feature work to continuous repair, making software engineering feel less satisfying.

  4. 4

    Security becomes harder in unstable, layered stacks because defenders may not know what to secure or where vulnerabilities originate.

  5. 5

    AI-generated code could spread insecure patterns widely without clear provenance, complicating vulnerability tracking and patch coordination.

  6. 6

    Lower costs for producing code may increase the volume of both legitimate software and malicious tooling, intensifying the attacker/defender cycle.

  7. 7

    AI can support learning effectively when it provides guidance and hints rather than complete solutions that bypass debugging and understanding.

Highlights

Even with optimistic assumptions like 99% compatibility per API call, multi-API software still becomes fragile as dependencies accumulate.
Security risk is framed as a knowledge problem: constant churn and abstraction make it unclear what’s vulnerable and how to fix it quickly.
AI-assisted login code can be dangerously incomplete if the user doesn’t know to request the right security properties (e.g., cryptographically signed verification).
The “cat-and-mouse” dynamic may worsen if attackers can iterate faster than defenders can train, deploy, and patch.
For education, the most promising AI role is tutoring that nudges learners toward solving—not handing over the finished code.

Topics

Mentioned

  • REST
  • JWT
  • LLM
  • DDoS
  • Neoim

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library