Who, exactly produced the code for AI?

[1]Little Bobby Tables is alive and well.

[1] https://xkcd.com/327/

Humans might survive, it is the databases that will be going extinct-by-injection. Now that I think of it,...humans can no longer live without the databases and will go extinct too.

.... has to be the funniest thing I read all day so far, and that included some brilliant posts on mastodon.

I could see this approach working if everyone ran everything in the cloud and build pipelines could update continuously with fixes as the AI DAST/SAST tooling found vulnerabilties and fixed them,

BUTT...

This does not fix the problem with operating systems being vulnerable to things (as they are not 'cloud') nor will it help with locally deployed apps (unless there is near constant updating of the apps), nor will it help with testing compatibility for clients that consume the updates, or the changing user experience.

I'm torn here between marvelling at the vision of people that think AI can save the world (even when it seems like the use cases are scraping the bottom of the barrel with a plan to throw it against the wall and see what sticks) and the shot-sightedness of the same people's understanding of how normal enterprise IT works.

So-callled AI (LLMs) has produced more true believers than anything else for a long time.

Ultimately, she said, "if we're able to build and deploy and govern these incredibly powerful technologies in a secure way, I believe it will lead to the end of cybersecurity."

In other words, if we are able to build software securely, we will have software security.

FFS, does she have no common sense?

For starters AI isn't going to fix crap software reliably anytime soon (if ever) and then there's the minor problem that human greed and lawlessness are a constant. The software industry have been insecure since forever, and there's NOTHING going on that persuades me that their products are becoming any more resistant to the malcontents.

We've already seen AI used for cyber attacks, impersonation fraud, and simple malicious spam, and the crims have barely got started on the opportunities of AI.

It's not even true though. It's a profoundly over-simplified view of computer security, naively ignoring the adversarial nature of the endeavour. Even if somehow, miraculously software bugs ceased to exists, humans, and other systems, still need to use that software and that use is itself represents one of the broadest categories of vulnerability.

'The end of cybersecurity' will come whenever computers cease to exist and not before.

to think that a little AI magic pixie dust will solve all security problems.

The truth is good, old fashioned software engineering practice that starts with a secure design and ends with quality assurance testing.

Yes: AI might help with this but AI must not be used as an excuse to cut s/ware development costs - which only results in enshittification.

It's always great to see that people chosen to lead these kind of agencies have absolutely zero understanding of what the agency does and how technology actually works.

I read it as Easterly suggesting that vendors used AI vulnerability scanning before releasing systems for hackers to try. Not trusting AI to write secure code.

Jen Easterly did a lot of good work at CISA, she was pushed out because of politics over the role of the agency.

Expressing the opinion that all security incidents are caused by poor quality software and that LLMs can solve the problem indicates a fundamental lack of understanding.

Whether Easterly did good work at CISA before she was pushed out for not sucking up to the mad orange king does not change my opinion of her lack of understanding.

Reading stuff like this always reminds me of Richard Feynman's appendix F to the report of the presidential commission on the Challenger disaster. [1]https://www.nasa.gov/history/rogersrep/v2appf.htm . In his appendix, Feynman describes a three order of magnitude gap between the reliability estimates of the working engineers (estimate 1 failure per 100 launches) and the project management (1 per 100,000 launches).

Let's just say that I suspect Ms Easterly probably wasn't the best possible choice for CISA head and that Trump's nominee for the job Sean Plankey doesn't look to be that much of an improvement. Could be wrong about that. Hope I am.

And, Oh Yes, Trump wants to cut the CISA budget and reduce staffing by a third. Will that make CISA 33% less ineffectual?

[1] https://www.nasa.gov/history/rogersrep/v2appf.htm

Nominative determination at work again -Trump's nominee for the job Sean Plankey

That sounds like a job for GenAI!

Or even JenAI (see the IT crowd).

> "We don't have a cybersecurity problem. We have a software quality problem," she said. The main reason for this was software vendors' prioritization of speed to market and reducing cost over safety.

That's actually not wrong.

Where she goes wrong is with the solution. Software vendors put security at a very low priority not because they're dumb or evil (though some are), but because all the economic incentives are extremely in favor of speed to market and cost reduction, and security costs a lot of time and money. As long as the incentives are the same, shifting the problem to AI won't solve it.

And now I know, I'd confidently say that I wouldn't trust this person to competently operate a microwave oven, never mind any sort of "computer".

No, AI isn't the magical unicorn pissing rainbows and sparkles. And one needs only look at the quality of GenAI pictures, stories, discussions, and code to know that it may well fix the problem it identifies but create a dozen different problems in the process. There's no "intelligence", no "understanding", and very little "memory" (as in remembering context). That's not something I'd let anywhere near actual executable code without plenty of human oversight, and full unit testing.

Spoken like a true corporate shill.

Hillarious at best, terrifying otherwise.

He's clearly not spotted that the introduction of AI coding has coincided with a massive dip in the quality of software being produced.

It seems to be daily I'm exposed absolute mounds of crap that are proudly released by many a major company. The only elements of these junkware apps that seem to work well are their unlawful levels of data collection and their continued persistance in pushing some form of AI labelled chatbot dungheap.

It'll all boil down to costs. The price of secure engineering is still going to be high with "AI" solutions because the billions invested have to be repaid and a poor sod will still have to be paid to verify and, crucially, be capable of understanding the output and consequences. My bet is nothing much will change once the true cost becomes apparent.

Nuff Sed!

Sounds great except who is going to validate that the AI code solves the problem and doesn't introduce any new ones?

Especially given that compromising AI systems is trivially easy and there appears to be no way to make LLMs secure.

Either you have a security team to second-guess your security-team-replacing AI or you don't have security.

I always argued that flowcharts were the way to design software. They show logic in two dimensions, making many errors and omissions much easier to see. But the industry has chosen the path of 'foolproof' programming languages, so the flow of disasters has continued apace.

I would like to see AI creating and analysing flowcharts to find and fix flaws.

The AI company that is paying her to shill is not getting their money's worth