I used to work in security auditing, and it makes me feel pretty jaded to think of the gigabytes upon gigabytes of random stuff that just gets pulled in from everywhere in IDEs, package managers, build pipelines and container images.
At least back then there was still a chance to read a significant part of the code and find problems before they found you.
Almost no manager will sign-off spending time on building stuff in-house if its available "for free".
This is also in no way a new thing. How much code was written in notepad++ in the '00ies? Did anyone bother to check if the plugins did sth. malicious? We also used some weird closed-src "addon" for the Nullsoft installer to get a product out of the door, dont remember what the problem was exactly....
Like Wordpress plugins previously that'll work for now but we're now on the trajectory of relearning that same lesson, because people are automating discovery and exploitation of these extensions and plugins and whatnot around text editors and MCP and so on.
Though I suspect we'll first see a torrent of exploitation similar to what was done to Wordpress instances, and then a change of behaviour, because as you allude to, the people with influence didn't learn from previous experiences with similar technologies.
Some big corps resort to a different tactics: they ONLY allow in-house tools. IDEs, communication tools, everything you need on a daily basis, they make in-house tools for that. It costs a lot of money but they care about security.
Actually happened at one of the largest banks in the world when I was contracting there. And that was mostly just a license/legal audit, not even a full source/security audit.
Aaand this is why AI is taking our jobs and we all rightfully deserve to be laid off. This utter lack of risk awareness and care for quality is what created the need for autonomous agents to dig through and build upon man-made slop.
Honestly, I find it rich that we’re the ones who think that AI is the one that’s producing slop. Give any agent clear harnesses and it’ll produce better code than a human would close to 100% of the time. That’s still as indeterministic as the way you used “most of the time”, but the deviation tends to be smaller and the quality and rigor is much higher.
Convenience, and as someone who has been on the other side of the fence his whole career (sysadmin + security), dev != tech savvy. Even during my days in the help desk, the devs were some of the most difficult users to support. Being good at developing software doesn't always equate to being good at operating computer systems, especially in an enterprise environment.
It used to be, dev workstations and environments were fully IT controlled and curated. Then everyone moaned and complained about not having local admin access to their machine (I get it, it sucks and is annoying, but there is a reason), and then devtools started dumping themselves in %APPDATA& and user directories to bypass the admin requirement for installs. And now extensions are in everything, and IT has no tools to control it.
It's about more than lack of admin access. One uncomfortable truth I've realized over the course of my career is that the more IT "manages", the worse my computer becomes by basically any metric you can think of: stability, performance, predictability, inspectability. I've lost count of the number of times IT have broken things for me. Often, the security software they require itself has unacceptable, careless security flaws (e.g., hardcoded passwords, completely incorrect permissions checks).
Uptime of systems, even laptops, that I own can be measured in months. IT and security departments mandate the installation of so much downright shoddy software that they often end up requiring (sometimes formally!) weekly reboots just to keep the system "stable".
Frankly, I've yet to work at a company where IT or security has done what I would consider to be adequate testing of their own policies and tools. I have sadly learned down to my bones that each time I'm informed (if I'm ever informed!) that some new thing on my system will henceforth be "controlled" by some department that sees policies and standards as their mandate, no matter whether they have a "test group" that trials the stuff ahead of me or not, my system is about to permanently degrade. And more often than not, literally no one will be able to answer basic questions about the behavior of the system anymore, because the kind of people who buy and implement turnkey corporate IT solutions don't really know much about what that software does. (After all, not having to really know what it does is the whole selling point of such solutions.)
Turns out no amount of communication to the team matters when you set Copilot to autopilot and it’s not aware of the compromised packages.
I suspect that’s going to be a trend.
Thats enough to see how much AI crowd cares about security.
I am telling people to wear helmets when they drive a car, this would save hundreds of thousands of lives every year in the world, but somehow I cannot convince them.
