I thought this was an interesting article that gets a few things wrong. Obviously, shipping AI-coded stuff to prod will introduce security risks.
But I also think it's important to define what level of security is actually needed for some of these apps. Obviously if you're shipping a product to thousands of enterprise customers, security needs to be tight.
But I would equate it similar to food safety: Many common practices in home kitchens would get you fired immediately in a restaurant.
But home kitchens serve very few people, store less food and store it for less time. They also have fewer people working on them.
I think the same is true for websites and apps.
There's something to be said for the security your type of project needs vs. perfect security.
dtagames•4mo ago
When I worked at IBM as a mainframe programmer in the 90's, the first lesson we were taught is, "There is no such thing as computer security, only the appearance of computer security. Usually, that is enough."
This true at the processor level because any "security" relies on the outcome of a single branch instruction in machine code. If all your security passed, we branch to the "let me in" code. If not, not. No matter how complicated your security is, it will all come down to a single branch instruction and a programmer who can affect the outcome of that branch will bypass any restrictions you put in place.
This is a fundamental truism of computer science, and the software we worked on at IBM did things like run ATMs. When was the last time you heard of someone hacking one of those to spit out bills? Usually, the appearance of computer security is enough.
FinnLobsien•4mo ago
That's true. Plus the question of how much security you actually need. I've interacted with many, many websites and apps that were horribly insecure (e.g. a hotel checkin tool that stored passport scans in a public firebase bucket...).
In the vast majority of cases, this doesn't actually matter (the passport thing of course is pretty bad). If someone found a vulnerability in a vibe-coded event calendar and hacked into it to change the timing of trivia at your local sports bar... who cares?
It's like home security. If you're not rich, famous or extremely unpopular, you should definitely lock your doors, but you probably don't need armed guards.
FinnLobsien•4mo ago
But I also think it's important to define what level of security is actually needed for some of these apps. Obviously if you're shipping a product to thousands of enterprise customers, security needs to be tight.
But I would equate it similar to food safety: Many common practices in home kitchens would get you fired immediately in a restaurant.
But home kitchens serve very few people, store less food and store it for less time. They also have fewer people working on them.
I think the same is true for websites and apps.
There's something to be said for the security your type of project needs vs. perfect security.
dtagames•4mo ago
This true at the processor level because any "security" relies on the outcome of a single branch instruction in machine code. If all your security passed, we branch to the "let me in" code. If not, not. No matter how complicated your security is, it will all come down to a single branch instruction and a programmer who can affect the outcome of that branch will bypass any restrictions you put in place.
This is a fundamental truism of computer science, and the software we worked on at IBM did things like run ATMs. When was the last time you heard of someone hacking one of those to spit out bills? Usually, the appearance of computer security is enough.
FinnLobsien•4mo ago
In the vast majority of cases, this doesn't actually matter (the passport thing of course is pretty bad). If someone found a vulnerability in a vibe-coded event calendar and hacked into it to change the timing of trivia at your local sports bar... who cares?
It's like home security. If you're not rich, famous or extremely unpopular, you should definitely lock your doors, but you probably don't need armed guards.