| ▲ | johnfn 12 hours ago | |||||||
After a release, attackers have effectively infinite time to throw an LLM against every line of your code - an LLM that only gets smarter and cheaper to run as time passes. In order to feel secure you’d need to do all the work you’d imagine an attacker would ever do, for every single release you ship. | ||||||||
| ▲ | utopiah an hour ago | parent | next [-] | |||||||
> attackers have effectively infinite time No, attackers are also rational economical actors. They don't randomly attack any software just for the aesthetics beauty of the process. They attack for bounty, for fame, for national interest, etc. No matter the reason it's not random and thus they DO have a budget, both in time and money. They attack THIS project versus another project because it's interesting to them. If it's not, they might move to another project but they certainly won't spend infinite time precisely because they don't have infinite resources. IMHO it's much more interesting to consider the realistic arm race then theoretical scenarii that never take place. | ||||||||
| ▲ | mixdup 11 hours ago | parent | prev | next [-] | |||||||
The first few times it's going to be expensive, but once everyone level sets with intense scans of their codebases, "every single release" is actually not that big a deal, since you are not likely to be completely rebuilding your codebase every release | ||||||||
| ||||||||
| ▲ | stavros 11 hours ago | parent | prev [-] | |||||||
This assumes that the relationship between "LLM tokens spent" and "vulnerabilities found" doesn't plateau, though. | ||||||||