| ▲ | nikcub 4 hours ago |
| It's becoming apparent that it requires more tokens to secure code than it does to write it May even be an order of magnitude more |
|
| ▲ | Mtinie 4 hours ago | parent | next [-] |
| In all seriousness, wasn’t that always the case? Writing bad code is relatively cheap. Ensuring code isn’t bad is the expensive part. |
| |
| ▲ | chrisweekly 2 hours ago | parent [-] | | Sort of? The definition of "bad" from a security PoV is rapidly expanding, in light of relatively new capabilities and increasingly cheap access to exploitable vulnerabilities. | | |
| ▲ | fny an hour ago | parent [-] | | I don't think the definition of "bad" is expanding. Rather the ability to detect and exploit "bad" is. |
|
|
|
| ▲ | tptacek 4 hours ago | parent | prev | next [-] |
| For now, maybe, yes? But the most important targets of this kind of work aren't AI outputs; it's legacy code, particularly (but not exclusively) old memory-unsafe code. In those situations the figure of merit isn't the token cost of recreating the target code; it's the cost of finding the same bugs with humans or preexisting tools. Those costs can be extremely high. |
| |
|
| ▲ | windexh8er 3 hours ago | parent | prev | next [-] |
| Given the slop that's made its way to Github we can see that this is a great profit model. Ship slop and then "fix" slop. What an efficient use of our planet! |
|
| ▲ | bflesch 4 hours ago | parent | prev [-] |
| It's weird because why can't they train the AI to simply output secure code? The basic security flaws with regards to input validation and overflows should never ever be output by an AI. For "security flaws due to bad design" I'll cut them slack until AGI is achieved. |
| |
| ▲ | simonw 4 hours ago | parent | next [-] | | > It's weird because why can't they train the AI to simply output secure code? The most interesting security bugs have causes that are spread across large codebases, or networks of dependencies. Training the AI to "output secure code" won't work if it doesn't also have access to the source code of every dependency that it's using... and even then, given current model speeds and prices most developers won't want to wait for an hour on every edit they make while the LLM reasons through all of the dependencies. | |
| ▲ | tptacek 3 hours ago | parent | prev | next [-] | | What's destabilizing the industry right now isn't vulnerabilities AI introduces into new code; it's a flood of sev:hi vulnerabilities in existing code, not introduced by AI but discovered by it. | | |
| ▲ | chrisweekly 2 hours ago | parent [-] | | Agreed -- and, compounding the challenge, the flood of _reported_ high-sev CVEs is itself a kind of DDoS attack on maintainers. |
| |
| ▲ | bobkb 3 hours ago | parent | prev [-] | | I think these audit tools can look beyond just security and can look for compliance audits as well. The ability to audit real targets in staging environments makes it easy to identify issues. |
|
