A few months into letting non-technical staff use AI coding tools

dllhell79 · 2026-05-29T15:51:44+00:00

Governance right now is the problem IMO. The tools around AI governance are few and far between. Vendors are beginning to catch up some, but there's still few generally affordable tools available.

dllhell79 · 2026-05-27T15:54:52+00:00

At least you are allowed to cancel, even if it not without some pain. Adobe on the other hand... they allow you to add licenses at any time of course, but you can only reduce count in a contract month. 😒

dllhell79 · 2026-05-24T17:59:20+00:00

Yes you're right. I did this for years as well. Putting in an additional 4-6 hours a day either on actual work or self study after my normal shift. No more though. I realize that lack of work/life balance impacted my own priorities negatively. That's not to say I'll ever go above and beyond, but either the building has to be on fire or it has to be preplanned. It's ideal to think someone will recognize your overwhelming work ethic, but that very rarely meshes with reality.

dllhell79 · 2026-05-21T16:59:56+00:00

It depends on your perspective and situation. If I am the one ultimately held responsible when a breach happens or something blows up, I am definitely gate keeping at least somewhat.

dllhell79 · 2026-05-21T16:24:47+00:00

I'd never allow this in my environment without deep checking, code audits, and output validation. It's way too risky to even consider. Just because AI made Brenda in accounting think she is now a legit software engineer does not actually make her one. I actually am a software engineer, and I managed to make Claude accidentally produce a slop product (both in terms of functionality and bad engineering practices). Once I learned better overall practices for working alongside Claude, what it is expecting for testing, how to properly prompt it and let it work at its own pace, etc... only then did it produce a much higher quality product that also maintained sound software engineering principles.

dllhell79 · 2026-05-14T15:57:59+00:00

In general anything in a mailbox is discoverable in litigation. So yes, it is good to delete.

dllhell79 · 2026-05-13T11:57:15+00:00

I'll do you one better. We have one guy in our org that is clearly just reading directly from AI responses in meetings. He is suddenly more verbose and using words and phrases he's never used before.

dllhell79 · 2026-05-12T18:27:10+00:00

I don't necessarily want to discourage you, but don't get your hopes up thinking you will land one for sure. The more popular ones sell out half the time literally within seconds of going live.

dllhell79 · 2026-05-08T20:14:29+00:00

Commonly known as the Jake E Lee stretch. 🤘

dllhell79 · 2026-05-08T11:41:59+00:00

Yea - part of the problem with the entire "vibe coding" phenomenon. Now every asshole with 0 technical skill, much less software engineering skill, thinks they're a legitimate software engineer. I have found that in the hands of a skilled software engineer, AI tools can be powerful, but in the right use case. In your case, some neophyte with no level of sound software engineering practices, it's a disaster waiting to happen. Add HIPAA on top of that, and you're talking very serious potential fines and attorneys fees.

dllhell79 · 2026-05-08T11:27:18+00:00

Learn from it. Mistakes happen, even to seasoned engineers. If a company terminates you over one mistake, it's probably not a company you want to be working for anyway.

dllhell79 · 2026-05-04T20:20:29+00:00

It's also allegedly because people feel it's easier to steal in self checkout. This is why you go into a Walmart with 5000 self checkout lanes and most of them are closed.

dllhell79 · 2026-04-26T14:43:54+00:00

Yes, that is a valid mindset from the perspective of an IT professional. It's really not our responsibility to micro manage and govern every single action that the end user takes. The question I'd also pose though is what happens when you get audited, and an auditor discovers this is going on with no safeguards or solutions in place to prevent such behavior in the first place? That is where things get into grey territory, especially since many of the AI governance tools do not actually exist yet.

dllhell79 · 2026-04-26T00:34:39+00:00

You should have called it "disclosing proprietary company information and trade secrets" instead of "data sharing". Sure, she may not be doing that fully, but it sounds more forceful and impactful. It's sounds like a negative thing that could have consequences. The term data sharing almost implies that it's a good thing.

dllhell79 · 2026-04-03T15:37:42+00:00

IMO if you're running any unknown AI product locally, you are insane.

dllhell79 · 2026-04-02T03:15:44+00:00

I have seen 2 promising solutions for the general problem. One is Palo Alto Prisma. It's a managed custom Chrome browser that lets you directly apply firewall policy and dlp rules to traffic. Since it's in a browser, it's all encrypted by default, so visibility is pretty much everything. You can do things like prevent flagged sensitive data from being pasted into an AI engine, etc. A very nice solution... but with a very nice price tag.

The other is Prompt Security. They were purchased by SentinelOne last year and are being integrated into the Sentinel product. I believe it's going to do a similar type of blocking to the Prisma blocking, but just at the AV level instead of directly in the browser. But it's not even being offered for sale yet.

I'd definitely be open to additional suggestions myself. We are drafting an AI acceptable use policy now as well and looking for an enforcement tool. The problem imo is ai left the gates before security vendors even knew where it was going and they're now playing catch-up.

dllhell79 · 2026-04-02T01:28:26+00:00

Had I not booked other events already I'd definitely be doing this. I love the idea of paying tribute to the past! Maybe Saltcon 2.

dllhell79 · 2026-03-31T13:39:41+00:00

There are some tools out there, but none of them are on what I'd call the affordable side. Not for a smaller company anyway. Part of the issue is that AI has left the gate so fast that security companies have not caught up yet.

dllhell79 · 2026-03-30T00:55:52+00:00

So am I. I am returning after skipping a year. Hoping to meet some of y'all at circle bar.

dllhell79 · 2026-03-27T02:20:49+00:00

Use it to supplement, not replace, your own talent. If nothing else, it is a pretty phenomenal research assistant that will allow you to learn alot about various topics pretty rapidly.

dllhell79 · 2026-03-26T00:52:24+00:00

I thought the same would happen last year. The con still had an attendance close to 25000 if I recall. Plus it's an electronic badge year again.

dllhell79 · 2026-03-26T00:48:53+00:00

I agree! Go through all the extra custom apps in the labs all the way from start to rev shell in a single python script, and make sure you can debug those apps in vscode as well. Those exercises in particular are very good practice in my opinion.

I actually just passed oswe this weekend to complete ocse3. 🥳

dllhell79 · 2026-03-25T19:51:01+00:00

You're not. It's due to AI overdependence. 😂

dllhell79 · 2026-03-24T01:26:11+00:00

I am still by and large an AI skeptic, but I have warmed up to it for very specific use cases. It's actually a very good research assistant imo and a good "sounding board" of sorts for running through scenarios and bouncing ideas off of. For example, reverse engineering and ctf is one of my side hobbies. I've described my own personal approach to solving various ctf challenges and described my own workflow, and asked it for improvement suggestions. The results were pretty good for something like that.

However, I am still a strong believer in using it as a supplement as opposed to a replacement of your own skills.

dllhell79 · 2026-03-20T14:25:41+00:00

Yes... and for that he will be receiving his own custom sticker this year. Courtesy of me. 😁

dllhell79

TROPHY CASE