Snowflakes: The Power of the Unique

The "build vs. buy" math has changed forever.

I hear you: it's one thing that with AI agents you can now churn out code at an unprecedented level - but who is going to deploy it, fix all the bugs, maintain it, and most importantly who is going to keep it secure?

Snowflakes

IT does not like snowflakes. It's actually more serious than just "not liking it". Folks hate snowflake solutions. A black box, very likely not well documented, hard to know (impossible?) what's going on inside.

This is the new reality we are facing now with AI coding agents: their code may work as intended, but reviewing it fully, oh man, there's just not enough time...

Supply chain domino

OK, let's say you DON'T go down that route (yet), you still prefer SaaS, well documented, tried and tested. There are a few negative aspects there too already: the supply chain security is a "black box" in this case too, on top you have no real control over it.

Once a vulnerability is exploited it hurts everyone.

On the other hand it's hard to argue against the comfort of the "off-the-shelf" solution. Security? Oh, it's someone else's problem.

Until it isn't.

The snowflake advantage

The fallacy of "reinventing the wheel" is clearly here, but for a moment, let's think about the advantages:

Uniqueness also offers business advantage. It's super-tailored to your specific business needs. No need to ask your vendor for a non-trivial change or feature and wait.

No bloated features in the first place (following YAGNI). Build only what you need right now.

Bespoke software can be "lean" - if you don't need a file-sharing module, it simply doesn't exist in the code, leaving one less path for a breach.

If a vulnerability is found in a popular SaaS platform, millions of companies are at risk simultaneously. But not you.

With unique software, an attacker cannot rely on public documentation, community forums, or known CVEs to find a way in. Attacking you becomes expensive.

Also, you have control over your patching cadence. What you patch and when becomes your responsibility.

The snowflake disadvantage

You can't rely on a community, helping you find flaws. If your AI (or team) misses a bug, it might stay there for years.

Security through obscurity: relying on the fact that "no one knows (externally) how it works". Though if an attacker does figure it out, they might find a total lack of standard defenses.

Technical debt & code rot: used to be a much more serious issue, depending on your in-house, human team, if core developers leave the code base can become "unpatchable", since no one is left with the knowledge of how the business logic works, and most importantly, why it works that way.

This last bit is something the agentic AI tools - or the AI tools in general - are trying to address: with AI agents, the "knowledge" remains there, and can be more easily documented.

What do we have right now?

With the various implementations of Spec Driven Development, and on top the latest factors of skills.md and soul.md what becomes very well executed is the initial documentation of the specifications and the requirements.

The challenge now is that the specs and the requirements keep changing over time, how will the AI agent keep up?

Or, rather: how will the human in the loop keeps the control, and how will he/she keep up with the ever-changing requirements?

This is a topic for another piece.

What do you think? Are you ready to roll your own?