The Numbers Are Bad

AI-generated code is shipping to production without security review. The tools that generate the code don’t audit it. The developers using the tools often lack the security knowledge to catch what the models miss. This is a growing blind spot in the software supply chain.

  • Blackmist@feddit.ukEnglish
    1·
    45 minutes ago

    It’s not that nobody wants to talk about it.

    It’s that nobody wants to listen.

  • rizzothesmall@sh.itjust.works
    1·
    1 hour ago

    HITL

    AI augmented > AI generated.

    Human review with AI co-review > AI generated review.

    Human-arranged AI augmented documentation > AI documentation which always seems to believe that the most innocuous comment spelling correction is the most important change…

    If you completely remove humans from the development cycle then you don’t know what’s in your codebase anymore.

  • CombatWombat@feddit.onlineEnglish
    21·
    4 hours ago

    Read the diffs. Not all of them.

    How do you write this whole article and come to the conclusion you can merge unread diffs?

  • dan@upvote.au
    13·
    1 hour ago

    The article says:

    None of the tools produced exploitable SQL injection or cross-site scripting

    but I’ve seen exactly this. After years of not seeing any SQL injection vulnerabilities (due to the large increase in ORM usage plus the fact that pretty much every query library supports/uses prepared statements now), I caught one while reviewing vibe-coded code written generated by someone else.

    • ugo@feddit.it
      4·
      2 hours ago

      vibe-coded code written by someone else

      “Someone else” “writes” vibe-coded code in the same way that someone buying a meal at a restaurant cooks said meal.

      • dan@upvote.au
        2·
        1 hour ago

        Haha good point - maybe “generated by” is a better description?

  • floofloof@lemmy.ca
    9·
    4 hours ago

    Nobody who’s into vibe coding wants to talk about it. The sane people, on the other hand, are already well aware.

  • CameronDev@programming.dev
    6·
    3 hours ago

    While human developers bring intuitive understanding

    Well… some do.

    Jokes aside, I don’t think this is an undiscussed topic, and ultimately, the solution is the same as it as always been: project culture. Project leaders need to insist that code is responsibly written and reviewed, and to make it part of the team culture. AI doesn’t change that.