๐๐ป๐๐ต๐ฟ๐ผ๐ฝ๐ถ๐ฐ ๐ ๐๐๐ต๐ผ๐ ๐๐ ๐ก๐ผ๐ ๐ ๐ฆ๐ถ๐น๐๐ฒ๐ฟ ๐๐๐น๐น๐ฒ๐
Anthropic released a guide on using LLMs to secure source code. It uses a six-step loop to find vulnerabilities in codebases.
The guide is good. It uses independent agents for discovery and verification. It emphasizes threat modeling. It offers practical advice from real experience.
The guide works for finding known patterns in code like SQL injections or buffer overflows. LLMs excel here because they recognize these shapes from training data.
But the framing is dangerous.
By saying "using LLMs to secure source code," it suggests this covers all security. This makes other major risks invisible. When a major AI lab frames security as just "finding and fixing bugs," the industry follows. The real problems stay hidden.
Security is not one problem. It is four distinct quadrants:
- Application Code: The logic and functions. LLMs work well here.
- Application Config: Settings like session timeouts. LLMs cannot fix these because the code is fine, but the value is wrong.
- Infrastructure Code: Templates like Terraform. These check instructions before deployment.
- Infrastructure Config: The actual deployed state in the cloud. This is where drift happens.
Anthropic covers the first quadrant. It does not cover the others.
An LLM scanning your code cannot see if an S3 bucket is public. It cannot see if two safe configurations combine to create a dangerous path. It cannot see if your deployed state matches your business intent.
The most damaging breaches often live in the gaps:
- Compound risks in the relationship between resources.
- Mismatches between what you intended and what you deployed.
- Architectural flaws like wrong trust boundaries.
A model that finds ten times more bugs only helps the first quadrant. If your team already struggles to patch 6% of findings, more findings will just create more noise. It creates a bigger backlog, not more security.
We must stop treating security as a pattern-matching game.
Pattern-matching works for code bugs. It fails for intent-dependent problems. A public bucket is a feature for a website but a breach for private data. The difference is not in the code. It is in the intent. LLMs do not know your intent.
Use LLMs to find bugs in your code. It is a real advance. But do not mistake bug-finding for total security.
True security requires different tools for different problems:
- LLMs for pattern-based code bugs.
- Deterministic verification for configuration posture.
- Graph evaluation for compound resource risks.
- Mechanical checks for declared intent.
Do not hunt for a silver bullet. Ask what problem the tool actually solves.
Optional learning community: https://t.me/GyaanSetuAi