(github.com)

425 points sfarshid | 2 comments | 24 Aug 25 16:18 UTC | HN request time: 1.523s | source

Show context

ofjcihen ◴[25 Aug 25 03:09 UTC] No.45009836[source]▶

As a security professional who makes most of my money from helping companies recover from vibe coded tragedies this puts Looney Toons style dollar signs in my eyes.

Please continue.

replies(4): >>45009849 #>>45011422 #>>45011729 #>>45015658 #

phito ◴[25 Aug 25 08:01 UTC] No.45011422[source]▶

>>45009836 #

Are LLMs better or worse at security than a team full of fresh graduates?

replies(2): >>45011973 #>>45013556 #

ath3nd ◴[25 Aug 25 09:33 UTC] No.45011973[source]▶

>>45011422 #

Far far far far worse.

replies(1): >>45012654 #

1. phito ◴[25 Aug 25 11:25 UTC] No.45012654[source]▶

>>45011973 #

In my experience, LLMs do not make a lot of the security mistakes most developers do, just because it is aware of their existence while most devs just are not. But then they could also make the mistake at some point, and the vibe coder guiding it might not catch it... Do you have any examples? I find this really interesting.

replies(1): >>45012726 #

2. acdha ◴[25 Aug 25 11:35 UTC] No.45012726[source]▶

>>45012654 (TP) #

LLMs aren’t aware of anything - that’s pareidolia of intelligence – but they hopefully have been trained on code which has more secure than insecure code. That’ll help with some classes of problem like using string operations to make database queries but it does have the cost that people might not review it as deeply for more subtle problems.

↑

We put a coding agent in a while loop