When Speed Outruns Intent
At the end of 2024, more than 25 percent of Google’s newly-committed code came straight from large language models.
That’s great for shipping velocity, until you realize much of that code was produced with little context beyond “create this thing and make the tests pass.” Security teams are suddenly protecting software that even its authors don’t fully understand.
This recent article in Lawfare “AI and Secure Code Generation” by Dave Aitel and Dan Geer discusses the move from “pointing machines” to “knowing machines” (which is a fantastic way to describe it) and I was enthralled as I read because it highlights so many issues we’re seeing today in customer environments.
The article goes on to highlight several big warnings that are coming up in our customer conversations as well. Here’s a summary of each along with how we’re working to solve these problems.
1 │ Code Written for the Moment, Not the Mission
LLMs solve the prompt in front of them without a care for the architecture behind it (much like a junior coder vs a software architect). Aitel and Geer observe that traditional metrics: bug counts, manual reviews, intent tracing - are now obsolete because no one can guarantee the coding AI understood the broader design.
DryRun Security: With us in your pipeline, every pull request is analyzed in context with a sole focus on security. Our engine analyzes intent from data-flows, config usage, and runtime boundaries, flagging when new code drifts from established security practices and introduces new risk based on the full context of the code.
2 │ Brace for an Explosion of “Unknown Unknowns”
Autonomous agents discover and introduce bugs faster than humans can catalogue them, much less write regex rules against them. Aitel and Geer liken it to a digital Cold War of zero-days where defenders often learn last.
DryRun Security: Instead of signature-matching known CWEs, we built an intelligent AppSec agent that looks beyond pattern matching and runs like an AppSec engineer on every pull request, no rules required unless you want to enforce policy.
3 │ Security Assurance Must Move Past Deterministic Reasoning
Counting hazards isn’t enough; we must know whether they’re exploitable. The Lawfare article's “pointing vs. knowing” argument lands here: tools must understand impact, not just syntax.
DryRun Security: We fuse static analysis with contextual reasoning: runtime env vars, network rules, privilege boundaries - so a stack overflow in an unreachable function doesn’t drown out a quietly exposed injection sink.
4 │ It’s an Arms Race: AI vs. AI
Attack automation is already weaponizing every public patch (remember ProxyLogon in 2021?) If defenders aren’t automating at the same pace, they’re losing ground hourly.
DryRun Security: Continuous agentic PR scans run at every merge with the context of your main. Model-backed remediation suggestions mean developers see actionable risk assessments, not PDFs, keeping cycle time low while the developer is in the code.
Frameworks Are Catching Up
Even the NIST Secure Software Development Framework now ships an AI-specific profile, urging provenance tracking of models and prompts.
But most orgs still treat compliance as a quarterly checkbox. DryRun plugs straight into the CI/CD, producing evidence for SSDF controls and OWASP Top 10 categories on every run.
Finally, take some time to read the full article if you can. They provide excellent context around these risks and insights, along with more depth why they see LLMs as a force for good in code security.
Ready to Try it Yourself?
We certainly agree that finely tuned and tested AI is a big part of the solution. Testing DryRun showed a record 88 % accurate findings with actionable remediation guidance vs traditional tools that were built before AI was everywhere in our code. Ready to see it live?
