let me introduce you to the much better and reliable world of: static analysis

I feel we're going to have a hard time over the next months with a stream of these "magic tools" to solve already solved problems and try to milk some money out off managers who got no clue.

Static analysis paired with AI is the middle ground that makes sense to me (working in a similar security space). But the hard part needs to be regular computer science and the AI comes second.

> But the hard part needs to be regular computer science and the AI comes second.

Yes, indeed. The AI could be used to prefilter the list of warnings generated by static analysis to reduce the amount of false positives. To achieve that an AI could use the history of the projects static analysis results to find likely false positives. Or an I could propose a patch to avoid a warning. If it is automatically compiled, passed to the test suite and the whole ci pipeline, it could reduce the manual effort to deal with finding of static analysis tools.

But leaving out the static analysis tools would loose so much value.

We completely agree. I would redefine it a bit.

We combine static analysis + LLMs to do better detection, triaging and auto-fixing because static analysis alone is broken in many ways.

We've been able to reduce ~30% of tickets for customers with false positive detection, and now be able to detect classes of vulnerabilities in business and code logic that were previously undetectable.

That strategy has been working for the past 6 or so years.

I would redefine it a bit.

Reliable = deterministic

Accurate? Not at all. Studies show that ~30% of findings are false positive. We've also seen that with the companies we work with because we built a false positive detection feature in Corgea. There's another ~60% of issues that are false negative. https://personal.utdallas.edu/~lxz144130/publications/icst20...

We combine static analysis + LLMs to do better detection, triaging and auto-fixing because static analysis alone is broken in many ways.

no nix pkgs, what's even the point

Add the dataset!

Tuta.com not here :(

Great insight. many programmers fail to think of their errors valid as values to get as an output. Golang got this right

how about not using web technologies to make spreadsheet software ?

I think web technologies have gone too far and too mature. The alternatives are not as much portable and approachable for some applications.

For instance, Win32 API/Swift UI/GTK would be the surface area for a cross platform application. I am not counting Qt/wxWdigets. You can tell a Qt application from a mile away.

And making an application look identical on all platforms is downright impossible. There would be noticeable differences.

An application should not look identical on all platforms. It should instead follow the conventions of the platform.

Never understood this. I own Windows and Mac computers, Apple iPad and Android phone, and annoyed everytime software just doesn't look the same when I switch between platforms. Why must everything look different? That's why I love the web and web applications.

Yes, please.

Incidentally, Grist runs on the desktop (Windows, Mac, Linux), see https://github.com/gristlabs/grist-electron.

… using web technologies (it’s an Electron app).

my thoughts exactly lol

Do you know about your own country ? It's a perfectly legitimate comparison to make

1.3 Million daily active users hehe

how about 0 ? how about we do nothing and nobody moves ? this way we'll be 100% sure that no one can get in a car accident, that'd be sooo cool guys :D

Yes, but only for people as dumb as you

(¬‿¬)