[strogonoff]

> > exploiting software is someone’s full-time job, whereas the engineers already have one—building it.

> But the attackers needs to spread their attack over many products, while the engineers only need to defend one.

Are you assuming every piece of software has a dedicated defender team? Strikes me as unlikely.

Realistically, you have people whose job or passion is to develop software, who often work not on one but on N projects at the same time (especially in OSS), and who definitely aren’t going to make finding vulnerabilities their full-time job because if they do then there’ll be no one to build the thing in the first place.

> Except that's true even without LLMs.

Of course. That’s why I put it before I started taking into account LLMs. LLMs multiply the pre-existing imbalance.

> once attackers develop some skill, that skill could spread to all defenders through tools with the skill built into them

Sure, that’s an interesting point. I’m sure the attackers try to conceal their methods; the way we tend to find out about it is when an exploit is exhausted, stops being worth $xxxxxxxx, and starts to be sold on mass markets, at which point arguably it’s a bit late. Furthermore, you still mention those mystical “defenders”, as if you would expect an average software project to have any dedicated defenders.

(Edited my reply to the latest point, I didn’t read it correctly the first time.)

[pron]

> Are you assuming every piece of software has a dedicated defender team? Strikes me as unlikely.

No, I'm assuming it has maintainers (they play the role of defenders).

> engineers who work on software are simply not that great and dedicated about finding vulnerabilities in it.

Yes, but LLMs help them more than they help the attackers, because the attackers are already security experts. In other words, the LLMs reduce the skill gap rather than increase it. Becoming good at using AI is much easier than becoming good at security.

[strogonoff]

> I'm assuming it has maintainers (they play the role of defenders).

A maintainer has a full-time job: to develop software. A maintainer who is also a defender has two full-time jobs, and as we all know in such a case one of these jobs will have to be done poorly, and we all know which one that is.

On the other side there’s an attacker with a singular job and a strong incentive to do it well.

> LLMs help them more than they help the attackers, because the attackers are already security experts.

The supposed logic is that an LLM multiplies your skill. If the multiplier is 5, and your attacking skill is 1 before the multiplication, then you get 5 after; if your attacking skill is alreaady at 10, you get 50. You could argue that LLMs are not good enough to act as multipliers, and then my math won’t work.

[pron]

> A maintainer has a full-time job: to develop software. A maintainer who is also a defender has two full-time jobs,

I don't think so. This is already the situation. Maintainers already fix vulnerabilities when they know about them.

> On the other side there’s an attacker with a singular job and a strong incentive to do it well.

If the situation is that the attacker is focusing on a single project, the attacker will win, as they do already. But the attackers usually need to split their attention over lots of projects.

> The supposed logic is that an LLM multiplies your skill

I don't agree with that logic. Agents bring knowledge with them. That's not a multiplier. Compare how well a 12 year old can do compared to a Roman history professor on questions about Roman history when they both can use an LLM or when they both can't. The LLM will shrink the gap, not increase it.

[strogonoff]

> I don't think so. This is already the situation. Maintainers already fix vulnerabilities when they know about them.

This is already the situation and it is a problem and that is why we are talking about it.

> If the situation is that the attacker is focusing on a single project, the attacker will win, as they do already. But the attackers usually need to split their attention over lots of projects.

Just like that, the developers split their attention over N projects, the activities of developing and finding vulnerabilities, etc. Unlike the attackers, they live in free countries without figurative guns to their heads. Unlike the attackers, they do not have government-funded datacenters churning on finding vulnerabilities. So it more than cancels out, and you are repeating yourself.

> I don't agree with that logic

Sure, knock yourself out.

> The LLM will shrink the gap, not increase it.

I’m not going to argue with you on behalf of all the different posters here who claim how LLM help more if you are already knowledgeable and don’t help as much if you are a beginner and don’t actually know what you are doing compared to the pro. I think you are a minority in your opinion.