HackerTrans
TopNewTrendsCommentsPastAskShowJobs

joj123

no profile record

Submissions

Security tools inside coding agents get ignored unless we do things

boringappsec.com
2 points·by joj123·22 gün önce·0 comments

[untitled]

1 points·by joj123·9 ay önce·0 comments

The SDLC is changing and so will AppSec (again)

boringappsec.substack.com
2 points·by joj123·12 ay önce·0 comments

Security slows down Change Management and we have a chance to fix it

boringappsec.substack.com
1 points·by joj123·geçen yıl·0 comments

Why ADR v/s Shift-left is the wrong way to think about AppSec

boringappsec.substack.com
2 points·by joj123·geçen yıl·0 comments

Show HN: Seezo SDR – Automated security design reviews

app.seezo.io
5 points·by joj123·2 yıl önce·2 comments

[untitled]

1 points·by joj123·3 yıl önce·0 comments

[untitled]

1 points·by joj123·3 yıl önce·0 comments

Managing LLM risk for companies using 3rd party LLMs

boringappsec.substack.com
1 points·by joj123·3 yıl önce·0 comments

Degrading UX to improve security hurts both UX and security

boringappsec.substack.com
2 points·by joj123·3 yıl önce·0 comments

Security's Prioritisation Problem

boringappsec.substack.com
1 points·by joj123·3 yıl önce·0 comments

Is CloudSec the new AppSec? tldr – not quite

boringappsec.substack.com
1 points·by joj123·3 yıl önce·0 comments

Building a static analysis program at Razorpay

engineering.razorpay.com
1 points·by joj123·4 yıl önce·0 comments

A simple framework on when WAFs work and when they may not

boringappsec.substack.com
1 points·by joj123·5 yıl önce·0 comments

Top AppSec metrics and why they are hard to measure

boringappsec.substack.com
2 points·by joj123·5 yıl önce·0 comments

Boring Appsec

boringappsec.substack.com
1 points·by joj123·5 yıl önce·0 comments

Designing for Security

increment.com
1 points·by joj123·6 yıl önce·0 comments

comments

joj123
·22 gün önce·discuss
[flagged]
joj123
·geçen yıl·discuss
I am a founder of a company that generates LLM-generated output (the users know that). I am curious if folks would prefer we make it more "human-like", or do you prefer we just add more disclaimers of the text being LLM generated? Of course, do assume that the content itself is accurate. The question is on the style of output
joj123
·2 yıl önce·discuss
Thanks. That's a good point, should have linked to the landing page instead :)
joj123
·3 yıl önce·discuss
My cynical take is that HR teams don't know how to manage or engage remote teams. Instead of picking up that skill, they are forcing a return to office.
joj123
·3 yıl önce·discuss
I have no idea what they have built. Hope they talk about it though :)
joj123
·3 yıl önce·discuss
1. I agree with your point that Prompt Injection can still affect the consumer of a third party LLM 2. I prefer to categorize it as a supply chain security issue, since the vulnerability is with a software provider that you are consuming.
joj123
·3 yıl önce·discuss
Agree that the ownership of using a vulnerable 3rd party is on you. I would just categorize that as supply chain risk and not prompt injection.
joj123
·3 yıl önce·discuss
(Author of the newsletter here) It's early days, but the simplest use case has been to improve employee productivity (Github Copilot, ChatGPT etc.). The Stripe CEO just tweeted that over half of their employees are using an internal LLM tool they built (folks who build internal tooling know how hard it is to drive adoption to a non-mandatory tool): https://twitter.com/patrickc/status/1681699442817368064?s=20

There are other companies which are doing some crazy experimental things which may have a large impact. For instance, Truveta is cleaning up on millions of medical records, training a model on that data and using that to drive research about patient care. Too early to tell if LLMs will actually transform companies beyond slight bumps in productivity, but to me, it feels like the cloud computing moment from 12-15yrs ago.
joj123
·5 yıl önce·discuss
Fair enough. Guess IDE plugins work even better for that
joj123
·5 yıl önce·discuss
The CI service is free, with some limitations on how long the findings stay on the dashboard, SSO integration and maybe a few others. The paid version was $40/usr/mo the last time I checked Once we figured it out, it takes us a few minutes to onboard a new repo to Semgrep
joj123
·5 yıl önce·discuss
Out of curiosity, Is there value in doing this over (say) running a GitHub Action post commit and failing the build if it finds something nasty?
joj123
·5 yıl önce·discuss
I do the same with Whatsapp using a neat trick someone told me about. Create a group(call it "Share with self" or similar) with you and another person. Then, remove that person from the group.. that's it! Functionally it's the same as sending yourself Slack messages, but on WA, which is good
joj123
·6 yıl önce·discuss
+1 If any of you get a chance, try the "Najangud rasbaLe" variety often found in Mysore. It's my absolutely favorite kind of banana

Edit 1: typos Edit 2: More details on what's ailing the rasbaLe and how fickle crops can be here: https://www.thenewsminute.com/article/why-cultivation-karnat...
joj123
·6 yıl önce·discuss
I guess the idea is that TLS is sufficiently complicated that you can take tangents during the interview and establish if the candidate can understand and communicate complex concepts
joj123
·6 yıl önce·discuss
You make many of leaps of faiths to get to your conclusion. Let's for a second assume that's all accurate, are you in favour of government solving this problem by an executive decision? Note that the same State refuses to regulate FAANGs which have stood by as their platforms were exploited to influence elections. The double standards are staggering
joj123
·6 yıl önce·discuss
One last point: Wipro has performed way better than expected during COVID (https://www.livemint.com/companies/news/wipro-soars-as-june-...)

TCS has made an announcement that they will not have any layoffs during COVID https://www.bloombergquint.com/business/tcs-not-to-lay-off-e...

So, even when thousands of employees of these companies could not travel to the US, their profits soared. Anecdotally, it appears (need more data) that if these companies cannot send someone on an H1B, the job does not always go to an American national, it probably goes back offshore to Bangalore (good for us, we get those tax Rupees).
joj123
·6 yıl önce·discuss
Wait, are you in good faith comparing H1B workers to slavery? I am not an expert on American history, but if you did, that escalated quickly :). The only rebuttal I have is, that no employee on Infosys is forced on a Lufthansa economy class seat to Newark airport. They do it by choice.

The whole "their code is horrible" is shifting of a goalpost. If that's true (and it might well be), then stop hiring them. If businesses see the point you are making, they'll stop hiring them.

On FAANGs adding value - I 100% agree. FAANGs add way more value than any Indian consulting company and that's reflected in the market cap of these companies. But surely,one can appreciate that FAANGs add value and that they lobby to have laws created in their favor. My limited point is that I don't think these American companies (which benefit from the new H1B rule) have any higher moral ground to claim with respect to their stance on immigration laws.

Also, A higher wage is an odd way to restrict hiring. A FAANG company can pay much higher wages for low-end coding job than Indian consulting companies ever can. So, if a FAANG hires the same Indian kid, at 120K/yr and have him/her do the same shitty job that the consulting company does, there's nothing here that stops it (please correct me if I am mistaken)
joj123
·6 yıl önce·discuss
Wow. That's a mean acronym (whoever came up with it). FWIW - these companies add tremendous value to enterprises in the US and yes, they do that by paying lower wages to folks flying in from India (compared to American counterparts), but it's still a upgrade for these engineers (plus a chance to experience America). I understand the whole "but they are circumventing the spirit of the Visa" angle, but they are operating in an environment where FAANGs spend a lot of money lobbying for favorable regulations. I don't see a big ethical difference between 'I will pay millions to lobby and get laws written in my favor' and 'I will exploit loopholes in the system to better my business'
joj123
·6 yıl önce·discuss
AppSec consultant here. Most developers being unaware of OWASP is quite possibly the biggest failure of the AppSec community. OWASP isn't perfect, but it's the most visible,easiest to access appsec standard/community out there. If devs haven't heard of that, they probably know very little about securing the software they write and that's a massive failing of the entire ecosystem.