[post-it]

> Maybe I'm just lucky that my colleagues all have Uni degrees in CS and at least a few years experience.

That's why. I was using Claude the other day to greenfield a side project and it wanted to do some important logic on the frontend that would have allowed unauthenticated users to write into my database.

It was easy to spot for me, because I've been writing software for years, and it only took a single prompt to fix. But a vibe coder wouldn't have caught it and hackers would've pwned their webapp.

[giancarlostoro]

You can also ask Claude to review all the code for security issues and code smells, you'd be surprised what it finds. We all write insecure code in our first pass through if we're too focused on getting the proof of concept worked out, security isnt always the very 1st thing coded, maybe its the very next thing, maybe it comes 10 changes later.

[blibble]

> We all write insecure code in our first pass through

no, we don't

[giancarlostoro]

Yes we do, you don't just start a brand new web project and spit out CORS rules, authentication schemes, roles, etc in one sitting do you? Are you an AI?

[blibble]

> are you an AI?

no, I'm a competent engineer

maybe you've not worked with any

[giancarlostoro]

So let me get this straight, you get instructed to build an Instagram clone, and you sit down and one shot code every single feature for the project? My point is about in one sitting, doing EVERYTHING all at once, without pausing, without standing up, without breaks. I don't know about you but people who tend to rush code out make just as many if not worse mistakes than AI does.

I've worked with many competent engineers and have built things people couldn't even google help for before AI existed, and that surpassed mine and my teams expectations both solo and in a team setting, none of them were done in one sitting, which is what you're suggesting. Everything is planned out, and done piecemeal.

For the record, I can one shot an AI model to do all of those things, with all the detail they need and get similar output as if I gave a human all those tasks, I know because I've built the exact tooling to loop AI around the same processes competent developers use, and it still can do all of it in record time.

[habinero]

> I can one shot an AI model to do all of those things

Bullshit you can lol. If it's that trivial, create an instagram right now and post the code.

[girvo]

Yes I really do, because this has been a solved problem for a while. Also it’s necessary to get right because retro fitting it later is a pain.

[giancarlostoro]

So if you're going to build a massive application say, YouTube, Facebook or Instagram you're going to sit down, and write out every template, db model, controller, view model, etc in one single sitting for the entire application? No bathroom breaks, no lunch, no "I'll finish that part tomorrow" you do it ALL in one sitting? Because you will miss something, and that's my point, nobody gets their first crack at a greenfield project 100% in one sitting, you build it up to what it is. The AI is used the same way.

[girvo]

No, the AI writes far less secure code than I do to start, even with the SotA models and careful prompting/detailed plans.

You’ve moved the goalposts so far that you’re now talking about a different game altogether.

[habinero]

I actually do build all of those things before standing something up in prod. Not doing that is insane. Literally every web framework has reasonable defaults baked in.

Any competent tech company will have canned ways to do all of those things that have already been reviewed and vetted

[giancarlostoro]

I never said anything about before hitting production, I said do you build everything in one shot when you start a brand new project, in one sitting.

[habinero]

Why are you building and deploying a site critical enough to need CSP and user security & so on in one sitting lol

Anyways, yes, if I know I'm gonna need it? Because every framework has reasonable defaults or libraries for all of those things, and if you're in a corporate environment, you have vetted ways of doing them

1. import middleware.whatever

2. configure it

3. done

Like, you don't write these things unless you need custom behavior.

[lelanthran]

I don't. I pull in or bake in the security and ACL on day 1.

Features come after I have tested authn and authz.

The first feature runs with full security.