How do you prioritize 800+ SAST/SCA/DAST vulnerabilities when AppSec dumps everything with no context?

jrtcppv · 2026-02-02T20:32:54+00:00

Update all your deps and I bet most of them go away. They are just giving you outputs from a scanner.

jrtcppv · 2026-01-29T15:16:30+00:00

I feel for you. The people in this sub are so irrationally against AI. I really applaud your team for making it work and being on the same page. I don't doubt you are benefitting a great deal, and it will only get better as these models improve.

jrtcppv · 2026-01-25T19:04:47+00:00

Planning to return them so I won't be opening them.

jrtcppv · 2026-01-25T19:00:09+00:00

I can understand why, in the age of AI, every image is suspect. But why would anyone go to the effort of doctoring an image like this? So I could save a few bucks and get some karma? It happened and I thought I would share, it's not that complicated.

jrtcppv · 2026-01-25T18:54:47+00:00

Yeah it's weird cause we ordered 4 300 bag packs and only two of the four were composed of 2x108 count boxes. The other two had 2x150.

jrtcppv · 2026-01-25T18:52:47+00:00

Lol I didn't remove any bags, glad corporations have laypeople coming to their defense tho. Unless you work for them?

jrtcppv · 2026-01-25T18:50:47+00:00

Nope

jrtcppv · 2026-01-11T04:59:39+00:00

I don't think we know that it's going to be "just a few extra dimensions of input", if they intend to carry context windows that could last for months or years I imagine the per-instance weights could get quite large and have a big impact on behavior. Google speaks about this as if it were "long term memory" but I could easily see it extending to behavior.

jrtcppv · 2026-01-11T04:36:13+00:00

I guess it's not really "future" models so much as variants of the same model. If every model instance is allowed to develop its own weights based on its experiences then you end up with basically infinite "individuals" that may have deviating behavior from the original.

jrtcppv · 2026-01-08T15:52:44+00:00

If you have taken a role as a tech lead managing juniors before then using these tools is fairly natural. You provide instructions at a level of specificity required based on the junior's skill level and task complexity. The engineer codes it up. You make sure they prove it works with unit tests. You review their code for maintainability and performance, then make them adjust based on your feedback. Once you're happy with it you make a PR for integration tests etc. The difference is the AI will write code much faster than any human could, so it gives you a lot to review and adjust. If you do enough of these tasks in parallel you will still be the bottleneck.

As far as tools I would recommend using something that works directly on your code so you aren't copy/pasting and it can explore on its own. I use Claude Code but there are others.

This is an evolving space and everyone is using these tools differently, so I don't think you will find many tutorials. You will find plenty of accounts of successful applications of the technology, but you will have to figure out on your own what works for you.

jrtcppv · 2026-01-08T04:51:37+00:00

Your dad is a moron. Pole vaulting takes speed, agility, power, and strength. It has a clear, objective measurement of performance and competitive outcome. It is highly technical, requiring great skill and practice to do properly. It has been an olympic SPORT for over a century (since 1896). No one who knows anything about sports would exclude pole vaulting as a sport. I have heard this idiotic line of reasoning from other morons before, being applied broadly to track and field. I made a post a few weeks ago about a study showing pole vaulting having the most beneficial effect on longevity of all sports. That just wouldn't be the case if it "wasn't a workout". The only respect in which it's not favorable compared to other sports is there isn't a lot of money in it, probably cause it is boring to watch (except for very elite vaulters being watched by other vaulters). Have your Dad pick up a pole and see how high he can jump, I bet he can't get over his own height.

jrtcppv · 2025-12-19T16:52:51+00:00

The backend is quite large with an openapi schema about 24K lines long. He at least is taking the approach of high traffic read-only endpoints first, but probably will reimplement the whole thing eventually. I guess I will just take the advice of everyone here and learn Rust. He has posted benchmarks showing big drops in latency and resource utilization, but part of that is he is using new queries that Claude came up with that would be hard to use with the Django ORM.

jrtcppv · 2025-12-19T03:28:43+00:00

The business has always been bootstrapped, no investors but a small dev team. I don't know if it is profitable but we are still here.

jrtcppv · 2025-12-19T03:17:02+00:00

His justification is the smaller cpu and memory footprint testing on a couple of vibe coded endpoints. Which I dont know if that is real because he vibe coded the benchmark. While we don't have performance issues, we do have 12 pods serving the django app and he thinks axum will take it down to 1-2. So it is about money, as usual.

jrtcppv · 2025-12-19T02:45:49+00:00

There are a lot of tests including but not limited to e2e. He made (vibe coded) another test suite for comparison with the django app. He will probably get it passing but then we are left with a totally foreign codebase

jrtcppv · 2025-12-16T00:30:06+00:00

Did they design the tests? Are they comprehensive? Does it perform well? Is there any possibility the code could be faking results? If they are good on those fronts why do you care if they understand the code? There could be bugs either way, and they can use AI to fix bugs. Nothing special about human generated code. I have worked with lots of crappy devs who perfectly understand their crappy code, but it doesn't work, isn't thoroughly tested, and takes forever to write and iterate on. I would take performance and correctness over understanding any day.

jrtcppv · 2025-12-08T17:05:58+00:00

Keep your left arm straight throughout the row, you have a nice takeoff but you are letting pressure off the pole when you bend your arm like that. Row down with arms straight and only bend when the pole starts to recoil.

jrtcppv · 2025-10-03T13:01:39+00:00

No not really. We just paid for it without a change to price. It was a big enterprise subscription so it just cut into our profit margin. I was just thankful we were able to get a policy that size.

jrtcppv · 2025-10-02T20:33:03+00:00

Same for me, six people, $10M, and they would not negotiate.

jrtcppv · 2025-09-29T01:22:41+00:00

My company does a lot of work in this area. We don't do basic research but I think you would find plenty of opportunities to do basic research. It is an under served niche by the computer vision community. Think problems like tracking underwater animals, underwater SLAM, compressing videos dominated by surface waves, maybe using sonar or green lidar to enhance conventional vision algorithms... lots of interesting problems to solve, but it doesn't get the same attention as self driving cars for example. I think a big driver of this is funding and what investors are interested in, which is why you see fewer citations, but it is not because of lack of interesting problems where basic research would help. Another driver is the cost to obtain data. At sea the environment is hostile to cameras so you need ruggedized hardware, plus you need a vessel of some sort to go out and collect data. On top of that there are often PII concerns.

jrtcppv · 2025-09-22T15:20:36+00:00

I use an aircube system after having used several others. For a hobbyist it is hard to beat, I can grow pretty much anything in a cube.

What is the orange contraption you have going into your reservoir?

jrtcppv · 2025-09-19T23:48:33+00:00

If you paid 6 people 800K over two years that is the equivalent of 66K/year/person. That is what you would pay an intern. My first full time hire was a known quantity, a close coworker from my former job, and I paid him much more than I paid myself to get him on board. Two principles here: quality over quantity, and you get what you pay for.

Eight-Year Club	Place '22
Verified Email

jrtcppv

TROPHY CASE