Mastodon Feed
Boosted by soatok@furry.engineer ("Soatok Dreamseeker"):
neilmadden@infosec.exchange ("Neil Madden") wrote:
I’m willing to believe that Anthropic built a better SAST. But that’s a total market of about $5B tops according to Google (some estimates seem to be just $0.5B) – it’s going to take a while to pay off their $30B Series G if they keep targeting these relatively tiny markets.
The same as with targeting developer productivity (another famously quite small market), they are focused on these markets because there are existing automated “bullshit-corrector” tools. In the case of software development, type checkers, linters, testing frameworks etc. In the case of memory corruption bugs, apparently they leant heavily on ASan to weed out the false positives.
Anyone who’s ever used a SAST on a mature code base knows that reducing false positives is the number 1 priority.
Also, in a parallel to recent articles about coding agents, finding vulnerabilities is not the bottleneck.