Comment by NitpickLawyer
2 days ago
> most people won't care - and won't notice the security flaws that are going to be rife in such large, and frankly mostly unread, codebases.
I agree. But what I'm trying to say is that we'll soon have automated agents that look for vulnerabilities, in agentic flows, ready to be plugged into ci/cd pipelines.
> Honestly I think the security world is primed for it's most productive years.
In the short term, I agree. In the long run I think a lot of it will be automated. Smart fuzzers, agentic vuln scanning, etc. My intuition is that we'll soon see "GAN"-like pipelines with red vs. blue agents trained in parallel.
"Looking for vulnerabilities" is not really a core part of creating secure software. That part of the infosec trashfi^Windustry is all about already deployed software.
You can only get somewhere close to creating secure software by constructing something that is secure by design. Think narrow-interface sandboxes and encoding visibility scopes into types, not "scan for known bad things".
> I agree. But what I'm trying to say is that we'll soon have automated agents that look for vulnerabilities, in agentic flows, ready to be plugged into ci/cd pipelines.
We already have that, and we can see it doesn't perform very well.
An agent that has no reasoning ability will not generate better code than what it was trained on.
https://garymarcus.substack.com/p/llms-dont-do-formal-reason...
If the solution to all problems with attaching gpu farms to our workflows is to attach more gpu farms to our workflows, I can't see how this isn't just an elaborate scam.