u/MortgageWarm3770

Saw Cal.diy trending on Hacker News, looked cool, asked Claude to compile and run it locally. Took maybe 5 minutes. Worked flawlessly. Felt like magic.

Then i did the thing you should probably do before the cool part. Ran Grype.

Three container images. calcom, postgres, redis. 1,673 vulnerabilities total. 31 critical. 159 high.

None of them in the app code btw. Every single one came pre-installed in the base images. I hadnt touched a line and was already buried in CVE debt.

AI can build software faster than we can check if its safe and were all just... shipping it. Anyone else had this wakeup call?

We finished our SAP migration to AWS and the migration itself went surprisingly smooth. On time, on budget, minimal drama. the problem started the week after.

Our cloud footprint basically doubled overnight. New VPCs, new accounts in the org, new EC2 instance families we had never used before, new everything. The migration team had spun stuff up fast to hit the deadline and then handed it over.

Heres where it got ugly. Our security tooling was all agent based. Every new account meant another IAM role to configure, another agent to deploy, another thing to keep updated. Within two weeks we had agents going stale after OS patches, new instances spun up by auto scaling that missed the install script entirely, and three different agent versions across the fleet giving us inconsistent scan results.

We went from zero coverage gaps to having entire accounts with no security visibility for days at a time and we wouldnt know until someone manually checked. Operational overhead of just keeping agents healthy across the expanded footprint was eating more time than fixing the findings. Feels like I went from being a security engineer to an agent babysitter.

For those who have been through a big migration, how did you handle security visibility at scale? specifically curious how teams manage when the deployment velocity is fast and the footprint keeps changing.

MIT apparently found 95% of enterprise AI projects fail. I was listening to Curiouser & Curiouser podcast from Alice recently and one of the guests called it simply: most of those projects never had a goal. They got budget because the technology looked impressive, teams played around for a few months, and then everyone ran out of energy once the novelty wore off.

His point was that you have to be deliberate about what you point these tools at. LLMs are genuinely incredible at language, summarization, and code generation, basically stuff that was science fiction five years ago.

But they're awful at arithmetic, following precise instructions, and repeatable automation. The projects that actually ship pick use cases that play to the strengths and deliberately keep the model away from everything it's bad at. Everything else is just an expensive science fair.

What's your bar for calling an AI project worth doing vs just vibes? Anyone here shipped something that delivered, and what made that one different from the ones that died?

Audit landed on my desk last week. Every single application we tested had at least one security misconfiguration, yes every last one of them

Then I read the OWASP 2025 and apparently were not special. 100% of apps tested across the whole dataset had the same problem. I mean 700k+ CWE occurrences in this category alone.

Heres the part that's wrecking me though: detection isnt the problem. Our scanner found them, we have findings out the wazoo. What nobody can tell me is which of the 4,200 misconfigs flagged in our environment will get us breached and which ones are technically true but irrelevant bs.

The auditor wanted a remediation plan, but a plan that treats all 4,200 the same is just a backlog with a deadline. What we need is reachability and blast radius, basically which misconfigs are on internet facing assets, which ones chain into sensitive data, which ones combine with an over permissioned role to become an attack path.

How are folks handling this post-audit? Feels like the industry's stuck solving discovery while the problem moved years ago.