> Security testing has to become an automated, integral part of the CI/CD pipeline. When a developer opens a pull request, an AI agent should immediately attempt to exploit it. When infrastructure changes, an AI should autonomously validate the new attack surface. You do not beat automated attackers by turning off the lights; you beat them by running better automation on the inside.

This feels like the core of the article, but it doesn’t prove the need for open source.

I support and encourage the death of “““open source””” so that we may retvrn to Free Software.

Pretty overreaching claim about another company's internal decisions and open source in general. There is a lot of incentive to stop open source these days.

One of which I am experiencing right now is somebody just copying my repo, not crediting me, didn't even try to change the README. It's pretty discouraging.

The other is security reasons, the premise that volunteers will report vulnerabilities really matter if you are big enough for small portion of people to dedicate themselves, for the most part people take open source tool use it and then forget about it, they only want stuff fixed.

Lastly, open source development kinda sucks so far. I'v been working on a few different tools and the amount of trolling and just bad faith actors I had to deal with is exhausting. On top of that there is a constant stream of people just demanding stuff to be fixed quickly.

feels like the real shift is not open vs closed, but reaction time AI attackers don’t need perfect access anymore, just enough surface and time. So the question becomes: can you detect+respond faster than they can iterate in that sense, open source might even help -more eyes reduces time to fix, not just time to find

I'm hopeful the article is right about its prediction, although I'm under the impression the attacker/defender dynamic is asymmetric and the defender on the loosing end. I hope someone can proof me wrong though...

Making the assumption that the same amount of money needed to attack a critical vulnerability is also required to find and fix it.

Lets say we have a project with 100 modules, and it costs us $100 000 to check these modules for vulnerabilities. What is stopping an attacker from spending the same amount of money to scan, lets say 10 modules but this time with 10x the number of tokens per module than the defender had when hardening the software?

At the same time, I heavily support open-source and contribute a lot, but I can't necessarily agree that security-through-obfuscation doesn't play a major role in slowing down attacks. Cloudflare have based its whole security being closed-source (for example on its anti-bot mechanism) to be hard to reverse engineer, and they remain leaders as of today with few serious security breaches.

Some things just can't be truly secure as well, ddos protection is mostly a guessing/preventive game, exposing your firewall config/scripts will make you more vulnerable than NOT.

If your codebase isn't exposed, attackers are constrained by the network and other external restrictions which greatly reduce the number of possible trials, even with a swarm of residential proxies, it's not the same at all from inspecting a codebase in depth with thousand of agents and all models.

Closing your source doesn't close your attack surface,it just closes the community that would have helped you defend it. Security through obscurity is a kind of tradeoff, not a strategy.. i mean that's what I feel.

feels like people are arguing the wrong axis tbh

- it’s not open vs closed anymore, it’s more like bug finding going a few devs poking around to basically infinite parallel scanners

- so now you don’t get a couple of thoughtful reports, you get a many edge cases and half-real junk. fixing capacity didn’t change though

- closing the repo doesn’t really save you, it just switches from white-box to black-box… and that’s getting pretty damn good anyway

real problem is: vuln discovery scaled, patching didn’t. now everything is a backlog game

Great PR piece by Strix, but I find mixed messages.

Cal.com folks are getting a red team for free, wouldn't that further convince them their closed source software is strong enough?

Isn't Strix's business companies paying for scans regardless of whether the software scanned is open source or closed?

It's a good question - is blackbox hacking as effective as whitebox hacking, for AI agents? I've gotta assume someone at Anthropic is putting together an eval as we speak.