alt Hacker News> I think you overestimate the ability of AI to write perfectly secure apps. Humans can't do it, and AI is trained on their work.
Ironically, AI tend to be better at securing code, because unlike the squishy human, it is much more cable of creating tons of tests and figuring out weaknesses.
Let alone the issue when lots of meatbags with different skill levels are working on the same codebases.
I have barely seen any codebase that has been in production for a long time, that did not have glaring issues.
But if you tried to do a code audit, your spending somebody their time (assuming this is a pro), for a long time. Where as a AI with the correct hints on what too look for, can do insane levels of work, testing, etc...
Ironically, when you try to secure test a codebase, and you use multiple different LLMs, you get a very interesting list of issues they can find. Many that are probably in tons of production level software.
But its up to you, as the instructor of that LLM codebase, to actually tell it to do regular security audits of the codebase.
> Ironically, AI tend to be better at securing code, because unlike the squishy human, it is much more cable of creating tons of tests and figuring out weaknesses.
Sentences like this make me think AI is honestly the best thing that happened for my imposter syndrome. AI is great for simulating test case, and that's it. If you leave it, it write the most basic, useless tests (i mean, half of them might be usefull when you refactor, but that's about it). It can't design reusable test components and have trouble with test double, which i would think is the easiest test case for AI. Even average devs like me write test double faster than AI, and i'm shit at writing tests.
AI is also extremely bad at understanding versionning, and will use a deprecated API for no reason except increasing the surface of attack.
AI is great for writing CLI scripts, boilerplate and autocomplete. I use it for frontend because i'm shit at it (even though i have to clean its shit up behind), and to rewrite small functionalities of some libraries i want to avoid loading (which allowed us to remove legacy dependencies). It's good at writing prototypes (my main use nowadays), and a very good way to use it is to ask it a plan to improve/factorize your code (it's _very_ bad at factorizing, but as it recognize patterns, it is able to suggest interesting refactors. Half the time it's wrong, so use the "plan" mode)
I'm on a network security and cybersecurity tooling team, i guarantee you AI is shit at securing the code (and at understanding network).