Jesper Writes About Security

If you work in a company, almost any company, you have obviously read all the security policies. At least, you have signed off that you have read all the policies, because that’s part of the required annual security training. “Sure, yeah, I read all of them. I know where they are anyway. I think.” There are two reasons why every annual mandatory security training requires you to read the policies. First, you’re actually, you know, supposed to follow them. It’s probably hard to do that if you don’t read them first. Second, so the company can fire you if you fail to follow them. Then again, I haven’t read the Revised Code of Washington, and I have to follow that too, so what’s the point? When you sign off agree to the “…up to and including termination” part at the bottom of most policies. In our legal system this isn’t necessary because of the common law principle of ignorantia juris non excusat —Ignorance of the law is no excuse. This principle is fundamental to the system and in polici...

When I was in graduate school an exciting area of research in Computer Science, and especially in Information Systems was how fourth generation languages (4GL) would enhance developer productivity and reduce bugs and rework. 4GLs, like SQL and PHP, offer a higher level of abstraction that allow developers to focus on what they are writing, rather than spending most of the time on how, as in 3GLs (such as Rust, C/C++, Java, Perl, and so on). Today, we have a 5GL, and few people seem to even think of it as a 5GL, or even as a language. Guess what? It is English, or any other natural language you type into an LLM to produce 3GL or 4GL code. Every day, millions of people are typing 5GL  into a vibe coding front end to a Large Language Model (LLM) and out comes 3GL code that in many cases the person who typed the prompt cannot read and understand. This is a critically important moment for Security Professionals and Executives because it upends everything we thought we knew about softwar...