it would be kinda cool if we had built-in support for Node.js env file reader and also from the most popular env variables library (dotenv) to support this syntax for exec() as part of env-variables and resolving it
yes, I get the security concern but still
look at the last column and your favorite LLM for how likely they are to produce correct code (which for you seems fine), yet insecure code (which is great for attackers), that's from #baxbench project
David Cramer's write-up on Sentry's Warden code review agent is very on point. I resonate with this in particular with regards to security review.
Feeding a ton of context into a /security-review skill and expecting it to just magically secure your code is... insane. because that's just way too wi
If you haven't watched Pantheon yet on Netflix I highly recommend, more so even these days given the AI relationship...
I worked with our product managers at Snyk on a nice guide on how MCP Package Health works alongside our Secure at Inception paradigm and dependency checks
The 89% Problem: How LLMs Are Resurrecting the "Dormant Majority" of Open Source:
In these times when LLMs are a quick gateway for quick and sometimes shallow answers, it is nice to see an engineer proactively investing in their knowledge - buying my 3 books bundle on Node.js Secure Coding
thank you kind (and now - more secure), developer β€οΈ
In these times when LLMs are a quick gateway for quick and sometimes shallow answers, it is nice to see an engineer proactively investing in their knowledge - buying my 3 books bundle on Node.js Secure Coding
thank you kind (and now - more secure), developer β€οΈ
Boris Cherny confirms he prominently uses Plan mode in Claude Code. I confirm. I've done the same with Cursor and the AskUserQuestionTool and it's been so good in a sort of interview style session the spec all the requirements out.
That's pretty much AI-native.
2016: rise of the specialist - frontend architect, Go systems engineer, kubernetes DevOps engineer.
2026: rise of the generalist - rewarded for expertise in AI-native capabilities, driving AI agents.
"productivity per engineer increase 200%" - Boris Cherny on Lenny's podcast. Totally relatable. Coding is solved, largely. I agree. But remember that software engineering wasn't just coding.
Anthropic 4x 'ed the engineering team for Claude Code over the last year, based on Boris Cherny's commentary.
so, humans are still required to accelerate work but at the same time, they're also the bottleneck. fun times.
hah, first time I see this page trending on my blog, funny :-)
Did you know you can do object detection with Gemini models ?
cool use of multimodal aspects of online LLMs over using offline YOLO models
hah, just when you thought AI takes over everything in software, you realize ingenuity is still a very hard to beat human trait
friends on an interview hunt, please be careful. shared on TLDR infosec of an ongoing malware campaign targeting devs
who wants to play? reply with your thoughts and I'll show you how it fits my MCP security framework
oooo cursor, I thought you'd never ask!
ahh yes, the Claude Code Security saga that kills cybersecurity startups. So you're saying LLMs are good at writing code? industry benchmark like BaxBench shows something else
I guess we're lucky to have a new Opus model because 4.5 was only marginally better than a coin toss at secure code π
Nice refreshing update of the Qodo AI code review tool, I like how cleaner it is now
if you're wondering why Brian Clark is so confused it's because the newest Compose 1.5 model on Cursor confabulated a non-existent npm package version...
if you don't want that happening to you, that's what @Snyk fixes for the agent with the Snyk MCP Server integration
looks like I need to fine-tune YOLO to detect the yoda hat π
what do you do when you find out about unapproved or old AI models in your code projects... ? that's kinda shadow AI but we can forgo the fancy security acronym :-)
if you know you know
a handy tip with GitHub is that on failing CIs I can just fire off the GitHub Copilot agent to fix it
Your goal is that all agenting coding sessions will bake a @Snyk security scan in the task list
why is this helpful?
- it audits the AI generated code
- it audits the package health of hallucinated npm packages
- it prevents malicious packages from getting installed
- it provides security context
Your goal is that all agenting coding sessions will bake a @Snyk security scan in the task list
why is this helpful?
- it audits the AI generated code
- it audits the package health of hallucinated npm packages
- it prevents malicious packages from getting installed
- it provides security context
I kinda miss the whole hands-on live hacking presentations. We should have more of this.
the claude code cli flag we really want
the security concerns of YOLO with your coding agents (or any AI to be honest)
kinda cool seeing @snyksec powering AI agents ecosystem by flagging security issues in skill .md files :-)
