upvote

points

by Analemma_10 hours ago |
comments
upvoteby j-conn6 hours ago|
next
[-]
OpenAI just released “codex security”, worth trying (along with other suggestions) if your org has access https://openai.com/index/codex-security-now-in-research-prev...
reply
upvoteby simonw9 hours ago|
prev|
next
[-]
The HackerOne slop is because there's a financial incentive (bug bounties) involved, which means people who don't know what they are doing blindly submit anything that an LLM spots for them.

If you're running the security audit yourself you should be in a better position to understand and then confirm the issues that the coding agents highlight. Don't treat something as a security issue until you can confirm that it is indeed a vulnerability. Coding agents can help you put that together but shouldn't be treated as infallible oracles.

reply
upvoteby hansvm5 hours ago|
parent|
next
[-]
That sounds like the same problem (a deluge of slop) with a different interface (eating straight from the trough rather than waiting for someone to put a bow on it and stamp their name to it)?
reply
upvoteby stubish31 minutes ago|
parent|
next
[-]
Seems very similar to turning on compiler warnings. A load of scary nothings, and a few bugs. But you fix the bugs and clarify the false positives, and end up with more robust and maintainable code.
reply
upvoteby simonw5 hours ago|
parent|
prev|
[-]
I've found it's pretty good. It's really not that much of a burden to dig through 10 reports and find the 2 that are legitimate.

It's different from Hacker One because those reports tend to come in with all sorts of flowery language added (or prompt-added) by people who don't know what they are doing.

If you're running the prompts yourself against your own coding agents you gain much more control over the process. You can knock each report down to just a couple of sentences which is much faster to review.

reply
upvoteby Mapsmithy4 hours ago|
parent|
[-]
You also probably have a much better idea of where the unsafe boundaries in your application are. Letting the models know this information up front has given me a dozen or so legitimate vulnerabilities in the application I work on. And the signal to noise ratio is generally pretty good. Certainly orders of magnitude better than the terrible dependabot alerts I have to dismiss every day
reply
upvoteby johannes12343218 hours ago|
parent|
prev|
[-]
The question still is: will enough useful stuff be included, to make it worth to dig through the slop? And how to tune the prompt to get better results.
reply
upvoteby simonw8 hours ago|
parent|
next
[-]
Best way to figure that out is to try it and see what happens.
reply
upvoteby Groxx7 hours ago|
parent|
[-]
[claimed common problem exists, try X to find it] -> [Q about how to best do that] -> "the best way to do it is to do it yourself"

Surely people have found patterns that work reasonably well, and it's not "everyone is completely on their own"? I get that the scene is changing fast, but that's ridiculous.

reply
upvoteby simonw6 hours ago|
parent|
next
[-]
There's so much superstition and outdated information out there that "try it yourself" really is good advice.

You can do that in conjunction with trying things other people report, but you'll learn more quickly from your own experiments. It's not like prompting a coding agent is expensive or time consuming, for the most part.

reply
upvoteby nl7 hours ago|
parent|
prev|
[-]
/security-review really is pretty good.

But your codebase is unique. Slop in one codebase is very dangerous in another.

reply
upvoteby bluGill8 hours ago|
parent|
prev|
next
[-]
That depends on how the tool is used. People who ask for a security vulnerability get slop. People who asked for deeper analysis often get something useful - but it isn't always a vulnerability.
reply
upvoteby unethical_ban6 hours ago|
parent|
prev|
next
[-]
I assume it's just like asking for help refactoring, just targeting specific kinds of errors.

I ran a small python script that I made some years ago through an LLM recently and it pointed out several areas where the code would likely throw an error if certain inputs were received. Not security, but flaws nonetheless.

reply
upvoteby ronsor7 hours ago|
parent|
prev|
[-]
You're either digging through slop or digging through your whole codebase anyway.
reply
upvoteby lmeyerov9 hours ago|
prev|
next
[-]
We split our work:

* Specification extraction. We have security.md and policy.md, often per module. Threat model, mechanisms, etc. This is collaborative and gets checked in for ourselves and the AI. Policy is often tricky & malleable product/business/ux decision stuff, while security is technical layers more independent of that or broader threat model.

* Bug mining. It is driven by the above. It is iterative, where we keep running it to surface findings, adverserially analyze them, and prioritize them. We keep repeating until diminishing returns wrt priority levels. Likely leads to policy & security spec refinements. We use this pattern not just for security , but general bugs and other iterative quality & performance improvement flows - it's just a simple skill file with tweaks like parallel subagents to make it fast and reliable.

This lets the AI drive itself more easily and in ways you explicitly care about vs noise

reply
upvoteby ares62310 hours ago|
prev|
[-]
No mention of the quality of the engineers reviewing the result?
reply