[sbarre]

To be fair, lots of "actual" programmers who don't know good from bad have been shipping insecure code to prod for decades.

AI is just another vector for this, not something entirely new.

When you have your amazing idea, instead of hiring an inexpensive low-skill developer (whose work you are also incapable of evaluating) to build and ship your idea in a low quality way, you're just paying AI to do it.

It's just putting they money into different (centralized) pockets.

[Capricorn2481]

No, people should not be knowingly half assing important things like PII just because "it's been done badly before." We make the good faith assumption that people who mess this up don't know better, not that they're willingly using a tool that will mess it up for them because they don't care.

[sbarre]

I think you misunderstood my comment..

When a non-technical person hires an incompetent developer (that they likely don't know is incompetent at the time of hiring) to build something that turns out to be insecure - because the developer didn't know any better and the non-technical person doesn't have the skills to evaluate the output - no one was trying to do a bad thing, but they didn't know what they didn't know.

The non-technical person got something that did what they asked, without understanding all the underlying deficiencies.

It's the same with AI, I don't think non-technical people using AI are thinking "I don't care that this is building garbage code full of problems"..

Just like the first scenario, they don't know what they don't know, and they end up with something that does what they want, and that's a good outcome based on their limited knowledge.

To be clear, I don't think either of these scenarios is excusable or acceptable if you're working with PII or other security-sensitive things, I was just pointing out that this isn't new.