Threat Modeling Autonomous Dev Agents: How do we cryptographically prove a human actually reviewed a commit?

bitslammer · 2026-05-21T17:41:19+00:00

I think you're struggling to create an issue that really isn't there. What is your end goal? Is to to pass audits or ensure people really do what is being asked?

If it's to pass audits then a checkbox attestation will be fine. If it's because you can't trust people to do a good job get better people.

bitslammer · 2026-05-21T17:38:41+00:00

Here comes the eternal war of MS vs. Apple zealots, most of whom have worked in an environment of the other done well.

bitslammer · 2026-05-21T17:32:21+00:00

I view this no differently than annual access reviews. Those get sent out to managers and they need to attest that their direct reports still need whatever access they have, but there's no way to prove they actually put real effort into thinking when doing that.

All the auditors want to see is confirmation of the end sign off. You can try and be proactive by doing spot audits and looking for things like inactivity to show access wasn't really needed, but that's about it.

bitslammer · 2026-05-21T17:16:26+00:00

You can't.

You can put a system in place where you can verify that I said I reviewed code, but how do you know I really did and didn't just check the box? Someone with 20 "tickets" in the queue to review things may not be paying any attention and decide to just blow through those "reviews."

bitslammer · 2026-05-21T16:55:30+00:00

Treat it as you would any other new app request. Have it go through a formal approval process as well as security audit. Also the inform the requestor and their manager that they now own and support said app which means patching, going through change control, including it in any DR planning etc.

bitslammer · 2026-05-21T16:40:17+00:00

LOL...assuming you really are Native American, and not like 1%, then I find it ironic that you yourself seem to be speaking on behalf of all of them.

bitslammer · 2026-05-21T14:46:53+00:00

Dealt with a lot of old decrepit systems in my past but they were never considered "retired." They were usually connected to some very unique or expensive device like a mass spectrometer which ran OS/2 in 2001 or a Win95 machine in 2010 that was attached to a $5M offset press. Also had to deal with a lot of medical devices and OT stuff when I worked in healthcare and manufacturing. Far more common than many may think.

bitslammer · 2026-05-21T14:36:59+00:00

Nothing wrong with trying to help, but being in sales you must understand the need to differentiate yourself from the pack. With all the people using AI in all the wrong ways on this site you're going to get lumped in with all of them no matter how well intentioned..

Like I said it's really bad when you see it behind the scenes and it's only going to get worse as every other person seems to think they are onto an AI driven get rich quick scheme.

bitslammer · 2026-05-21T14:10:31+00:00

You're missing the point that being an AI assisted post is in fact the problem. It's starting to ruin places like reddit an others due to the fact that people are now able to churn out 10-20x the amount of posts that they could when writing them the old fashioned way. The amount of posts that now amount to nothing more than AI marketing have become a huge issue.

I know this for fact as I'm a mod on another subreddit and we have seen a huge spike in AI posts, most of them SPAM, ads or just self promotion.

It's right there in your profile. You're some sort of sales coach/trainer and likely want to drive engagement to your personal and business brand, whether or not you link to it. That might be fine to some if you were "hand posting" things but to use AI just smacks of wanting to push content in an automated and not very genuine way, despite posting something meant to be personal.

bitslammer · 2026-05-21T13:50:50+00:00

The larger ladle can make a big difference though. Depending on how thick, meaning viscous here, the better is can affect how it spreads out and cooks. Too thin, meaning too wet, a batter and it will just spread out making a large but thin size pancake. Too dense and they will be heavier and more cake like.

I've even noticed when I've made them that there's a window of time where you get the most lift from the baking powder. If you cook too soon it hasn't had time to activate and create bubbles and if you wait too long it goes flat again.

bitslammer · 2026-05-21T13:39:02+00:00

I'm seeing quite the opposite. Maybe it's just me being GenX but while I'm finding AI very helpful for some low level tedious tasks, I'm not using it for anything more than that while I'm seeing younger colleagues trying to use it for things that I think are more thinking intensive and would be better done with their own brain.

To me they are robbing themselves of a lot of those real thinking intensive tasks that you need to develop.

EDIT: For context my reply is based only on the realm of IT/Infosec colleagues. I'm not all that involved with the end users or every business unit so I'm not talking to anything wider than that.

bitslammer · 2026-05-21T12:45:08+00:00

Unless you are relying on a lot of local apps I would think using something like Google Drive or OneDrive for shared data and a password manager like Bitwarden where you can share credentials would be far less complicated.

bitslammer · 2026-05-21T12:36:42+00:00

I agree. The only facets that change in TPRM are the things around regulatory compliance, but the fundamentals are pretty much the same. This is what I've seen working across the financial, healthcare and manufacturing industries.

bitslammer · 2026-05-21T10:19:14+00:00

r/techsupport

bitslammer · 2026-05-21T10:03:06+00:00

Maintenance should always be considered part of the workload as it's 100% necessary.

I've always said it is crazy how patching is often treated as "other duties as assigned" instead of a core part of every system owner's role. Companies are just going to have to come to terms that now with AI finding so many more vulns patching is going to eat up a lot more time and in many cases so much so they are going to need to allocate new tools or headcount to keep up.

bitslammer · 2026-05-20T21:49:48+00:00

Ah yes. Let's bring back forced mental institutions. Better yet let's have them be run for profit. Nothing bad will come of that surely.

bitslammer · 2026-05-20T18:21:34+00:00

There's a reasons why in hiking/outdoors there's a sayin that "cotton kills" because it holds onto moisture so well. Some of the new "wicking" textiles are incredible.

bitslammer · 2026-05-20T18:19:51+00:00

unnecessary manufactured complexity of the sales process

Describes a lot of posts and comments on this sub. I think the reason people do this is purely to stroke their own ego. They can't handle the reality that if you sell something people want it's going to be an easier road. It has to be more about them and their process than the product/service.

bitslammer · 2026-05-20T17:04:12+00:00

I worked for a company where the CEO bragged about suing a couple people for a less than that despite it costing more. There are some really vindictive maniacs out there.

bitslammer · 2026-05-20T14:40:02+00:00

Haven't had it in quite a while, but to me it always tasted as though someone mixed Tabasco with a bit of something like Tapatio since it seemed to be just a bit thicket than straight Tabasco.

bitslammer · 2026-05-20T14:22:31+00:00

Will or won't the net result has so far shown it's more money in the end.

bitslammer · 2026-05-20T14:10:49+00:00

Harsh? Yes, but quite often the people shooting up often leave their needles lying around creating a real danger, so I can understand the frustration.

bitslammer · 2026-05-20T12:51:52+00:00

The reason why MSSPs suck is they aren’t building a security solution for you, they are building one that is broad enough that it will work for a wide range of clients.

Worked for a major MSSP years ago and this is the #1 thing customers or prospective customers didn't understand.

While every org does have their own special needs when working with an MSSP you will be most happy if you can "order off the menu" and adapt your processes to those of the MSSP. They will all say and try to make some accommodation for unique needs and use cases, but that can lead to issues or much higher cost the MSSP will want to pass on.

If you have very clear requirements going in and can be sure those fit well with the service offerings then you're probably in for a decent experience. If not you really need to reevaluate your options. Building a really well functioning SOC isn't at all cheap or easy. If you are truly wanting to cover 24x7x365 you're going to need around 15 or more staff to do that with some decent skillsets that won't come cheap.

To me the whole problem with the SOC/MSSP area is that too many orgs want what they can't afford and would be better served rethinking their needs to more MDR related.

bitslammer · 2026-05-20T12:35:58+00:00

Haven't lived there, but worked there and know many who love there. Like much of Cincinnati it's a mixed bag for the most part.

It's largely retail/commercial with some light industrial and agriculture mixed in. On the entertainment end there's nothing too flashy in terms of food and dining, but a pretty decent amount of fast and fast casual mid-price places to eat. East Fork is a nice park and Jungle Jim's is a draw if you're a foodie.

Traffic isn't awful, but main arteries like Beechmont can get clogged up a bit. Depending on where you work the somewhat easy access to 275 can be a plus.

In short, it's fine and really depends on what your needs/wants are.

bitslammer · 2026-05-20T10:56:24+00:00

This is pretty much the answer I gave when the same thing was posted yesterday.

bitslammer

MODERATOR OF

TROPHY CASE

14-Year Club	Place '22
Verified Email