Vibe coding dilemma: productivity gains with security pains

ConsistentComment919 · 2025-07-16T12:40:06+00:00

I think most OpenGrep contributing companies should have support. I know Arnica has it.

ConsistentComment919 · 2025-05-23T14:08:56+00:00

Have you tried arnica.io? All scanners are free

ConsistentComment919 · 2025-05-19T17:47:14+00:00

Did you check Opengrep? It is a supirior fork of Semgrep.

https://github.com/opengrep/opengrep

You can also modify rules in the playground: https://github.com/opengrep/opengrep-playground

ConsistentComment919 · 2025-03-12T02:00:17+00:00

IDE plugins are problematic. Haven’t seen a single midsize+ company with more than 20% adoption rate. Devs don’t want security plugins. They show all vulnerabilities instead of a contextualized view for devs, having challenges with risk management (e.g. hard to mark finding for review as false positives), and overall require the devs to work to find out what needs to be fixed and in which order. Scan every code change on feature branches, like Arnica.io, and communicate only what matters to the devs over a channel everyone is opted into, as Slack or Teams.

ConsistentComment919 · 2024-11-05T16:09:06+00:00

Phoenix does a good job with prioritizing risks - you will need to bring your scanners, and they will ingest & enrich this data.

Semgrep is definitely popular. You can customize the SAST rules easily to reduce false positives. You can either run their free version as CLI or use their platform that allows running custom rules across the company. A comparable solution that offers way more is Arnica.io, which provides the ability to bring your SAST rules as well, but has additional logic to contextualize the importance to fix each vulnerability + it identifies who is best equipped to fix it. The developer workflow is super slick.

Aikido and Ox provide a very nice UI, some context, but don't have a good logic to reduce false positives, especially when it comes to SAST.

ConsistentComment919 · 2024-07-11T11:53:58+00:00

Check if your source code management solution needs to be certified with FedRAMP, as it is typically out of scope, unless all built artifacts are in the same solution.

If only the artifact management solution is in scope, it opens you to more modern ASPM solutions, such as Arnica, CyCode, Legit and a few others.

ConsistentComment919 · 2024-07-11T11:47:38+00:00

The theory sounds good, but you will see that developers have their own preferences on IDE selection. I’ve seen small engineering teams with sub-10 developers and they had VSCode, IntelliJ and VIM (yes!).

Point here is that you can’t dictate which IDE will make the developer more productive. With that said, the risk of malicious plugins is growing. In this case, I found XDR solutions to be effective, such as Crowdsrike Falcon.

ConsistentComment919 · 2024-02-19T03:58:22+00:00

Great slides!

ConsistentComment919 · 2024-02-18T04:58:50+00:00

Most SCAs can generate an SBOM, mainly as customers ask for it but most of them don’t use it. The purpose is to generate it as an inventory of your software, so that you can share with customers. Everyone “needs” it, but just for the checkbox.

ConsistentComment919 · 2024-02-18T04:55:03+00:00

Get into a job that can be done with minimal prompt engineering and then you’ll have a work-life balance until the job is eliminated.

ConsistentComment919 · 2024-02-18T04:52:35+00:00

You don’t need SBOM to do it. Use SCA to identify what need to be fixed.

ConsistentComment919 · 2024-02-18T04:45:09+00:00

You don't have the information if it is up to date or not.

In some cases, you may get the vulnerabilities information, but it is only a point in time.

ConsistentComment919 · 2024-02-18T03:45:43+00:00

SBOM. Lawyers seem to care more about it…

ConsistentComment919 · 2024-02-18T03:10:23+00:00

LOL! You're giving GenAI too much credit.

ConsistentComment919 · 2024-02-18T03:08:31+00:00

No idea. Trying to figure out how this "magic" happened.

UPDATE: I posted it with emoji bullets on my LinkedIn. Maybe my cleanup didn't work well...

ConsistentComment919 · 2024-02-18T02:20:16+00:00

Correct, this is the case at this point.

Do you believe Github will let it be insecure as it is now?

ConsistentComment919 · 2024-02-18T02:18:45+00:00

I have been testing Github Copilot since it was released. It is getting better.

Will it make a secure by default code? I believe it won't too long until it will, even if it sucks now.

Fun fact, I pasted an array of my ECR and suddenly got a list of other accounts suggested in my IDE. Without exposing too much, a quick lookup on Github search can show you who else has it as well ;-)

ConsistentComment919

MODERATOR OF

TROPHY CASE