Hacker News new | ask | show | jobs
by scarface_74 65 days ago
My responsibility is to make sure my code meets functional and non functional requirements. It’s to understand the *behavior*. My automated unit, integration, and load tests confirm that.

Someone thought I was naive when I said my vibe coded internal web admin site met the security requirements without looking at a line of code.

I knew that because the requirements were that anyone who had access to the site could do anything on the site and the site was secured with Amazon Cognito credentials and the Lambda that served it had a least privileged role attached.

If either of those invariants were broken, Claude has found a major AWS vulnerability.
5 comments
Terr_ 65 days ago
As written, I do think that's naive. Being sure the person/browser is authorized doesn't mean that the signals you get are actions they intended.

Suppose that in normal use a user can visit a certain URL which triggers a dangerous effect. An attacker could trick the user into performing the action by presenting a link to them titled "click here for free stuff."

There are various ways to protect against that (e.g. CORS, not using GET methods) but backend cloud credential management does not give it to you for free.

link
scarface_74 65 days ago
And that same user is already trusted to have admin access to the entire organizational AWS credentials - I did say it was an internal management site.

The lambda itself only has limited permissions to the backend. The user can’t do anything if the lambda only has permission to one database and certain rights to those tables, one S3 bucket, etc.

Heck with Postgres on AWS you can even restrict a Cognito user to only have access to rows based on the logged in user.

And the database user it’s using only has the minimum access to just do certain permissions.

link
mindcrime 65 days ago
> My automated unit, integration, and load tests confirm that.

Do they? Did you write them? If not, how do you know they confirm the desired behavior? If your tests are AI generated (and not human reviewed) then even if you're doing spec-driven development and provide a comprehensive spec, how can you be sure the tests actually test the desired behavior?

Now if you're either writing or reviewing the tests, then sure.

Also, for what it's worth, when I talk about my "responsibility" I'm speaking more from a self-imposed sense of... um, almost a moral responsibility I feel, not something involving a 3rd party like a customer or employer.

link
scarface_74 64 days ago
I review AI generated test of AI just like I reviewed tests of developers on a team I was leading.

There is no “morality” when it comes to my job. Outside of my feeling morally obligated to give my employer the benefit of all my accumulated skills for 40-45 hours a week in exchange for the money (and in a previous life RSUs) in my account.

I feel accountable to my coworkers and customers to deal with them fairly and honestly.

What other moral obligation should I have besides my employer, coworkers and customers?

link
mindcrime 62 days ago
> I review AI generated test of AI just like I reviewed tests of developers on a team I was leading.

Cool. Then what you're doing seems totally reasonable to me, for what that's worth. My skepticism would be directed towards people who have AI write the code and the tests, and then don't do any further review. That, to me, is a sure path to "AI slop". But if you're specifying the desired behavior and reviewing the tests, then I don't see any problem with it.

> What other moral obligation should I have besides my employer, coworkers and customers?

No idea. That's up to you. Note that my comment above was intended to be descriptive, not prescriptive. Like I said, I'm talking about something that's purely a self-imposed thing. If you don't feel that same thing, that's totally fine.

link
sgarland 65 days ago
Did you mean to reply to someone else? This seems awfully defensive for a reply to parent’s comment.
link
imtringued 64 days ago
Yeah only the first two sentences were actually relevant. The rest was a humble brag that there is no application level security, which is a really weird thing to brag about.

When I use SAML, I still have to check that the user has some sort of attribute that indicates that access was granted to the application. If this access rule is defined outside the application, then why bring up Claude? If it isn't then Claude is responsible for implementing the access rule, which means the comment is 100% wrong.

link
guzfip 64 days ago
OP is a known autist who goes around and does this between HN and Reddit
link
scarface_74 64 days ago
I have no idea what you are talking about but I just checked the scarface_74 user on Reddit (he not I) last posted 8 years ago and mostly on the r/bitcoin thread.

https://www.reddit.com/user/Scarface_74/

And I have no idea what TREZOR is…

link
Refreeze5224 65 days ago
Thank you for doing your part to keep webapp pentesters in business.
link
losvedir 65 days ago
It wouldn't prevent the admin page from exfiltrating data, though, right? Like, POSTing whatever data is loaded on the page to an arbitrary attacker controlled website.
link
scarface_74 65 days ago
That would require the logged in user to do something stupid. That’s like saying what’s to prevent the authorized user from emailing his credentials to a random person.
link
dinkumthinkum 65 days ago
You may want to go back and ask the expert in that vibe coding equation if it would say this is a wise approach.
link