undefined | Better HN

0 pointsthereisnospork1d ago0 comments

>any vulnerability in any software available for inspection is going to be instant public knowledge. Or at least public among anybody who matters.

Shouldn't this naturally lead to a state where all (new) code is vulnerability-free? If AI vulnerability detection friction becomes low enough it'll become common/forced practice to pre-scan code.

0 comments

organsnyder1d ago

Finding a vulnerability by looking at the diff that fixed it is very different than just looking through the code.

Izkata1d ago

They're saying to do that scan to every diff before release, to see if it finds anything.

riknos3141d ago

I believe their point was that:

"How likely is this diff a patch for an existing vulnerability?"

Seems to be an easier question to answer than

"Are there any new vulnerabilities introduced by this diff?"

In other words identifying that a patch is for a vulnerability is typically easier than finding the vulnerability in the first place.

1 more reply

alt22723h ago

The point is that even if all code commits are scanned as safe by ai, black hats can still analyse the commits and diffs to find vulnerabilites for people who havent patched yet.

Scanning every commit doesnt automatically make everyone in the world patch immediately, vulns can still be found from commits and diffs and used against those who havent patched yet.

1 more reply

skinfaxi1d ago

The diff yields the patched code which is used to produce the exploit.

Hizonner1d ago

> it'll become common/forced practice to pre-scan code.

You'd think.

But then you'd think people would do a lot of other things too. I hope, I guess.

The other danger is that "the cloud" may become even more overwhelmingly dominant. Which of course has its own large security costs.

thinking_cactus1d ago

Remeber (to you both) extrapolation is a perilous business.

Obligatory xkcd https://xkcd.com/605/

j / k navigate · click thread line to collapse

0 comments

organsnyder1d ago

Finding a vulnerability by looking at the diff that fixed it is very different than just looking through the code.

Izkata1d ago

They're saying to do that scan to every diff before release, to see if it finds anything.

riknos3141d ago

I believe their point was that:

"How likely is this diff a patch for an existing vulnerability?"

Seems to be an easier question to answer than

"Are there any new vulnerabilities introduced by this diff?"

In other words identifying that a patch is for a vulnerability is typically easier than finding the vulnerability in the first place.

1 more reply

alt22723h ago

The point is that even if all code commits are scanned as safe by ai, black hats can still analyse the commits and diffs to find vulnerabilites for people who havent patched yet.

Scanning every commit doesnt automatically make everyone in the world patch immediately, vulns can still be found from commits and diffs and used against those who havent patched yet.

1 more reply

skinfaxi1d ago

The diff yields the patched code which is used to produce the exploit.

Hizonner1d ago

> it'll become common/forced practice to pre-scan code.

You'd think.

But then you'd think people would do a lot of other things too. I hope, I guess.

The other danger is that "the cloud" may become even more overwhelmingly dominant. Which of course has its own large security costs.

thinking_cactus1d ago

Remeber (to you both) extrapolation is a perilous business.

Obligatory xkcd https://xkcd.com/605/

j / k navigate · click thread line to collapse