RSS

Security tools inside coding agents get ignored unless we do things

joj1231 pts0 comments

Edition 34: A consensus is finally emerging on securing the Agentic SDLC

The BoringAppSec Community

SubscribeSign in

The Boring AppSec Newsletter<br>Edition 34: A consensus is finally emerging on securing the Agentic SDLC<br>But we are a while away from solutions that are ready to use.

Sandesh Mysore Anand<br>Jun 24, 2026

Share

Diego Gutiérrez’s 16th-century map got the shape of the Americas roughly right, then filled the gaps with sea monsters, mermaids, and a deeply confused Amazon River. That’s about where we are with the Agentic SDLC: broad strokes clear, details mostly wrong. Source

Subscribe

As frequent readers of the newsletter would know, I’ve been obsessed with the topic of today’s post for a while. ~15mo ago, I wrote and spoke about why AI will change the SDLC, and hence AppSec. Since then, I’ve spoken to hundreds of AppSec professionals and Developers about the topic. Every few months, we’d have some clarity on how things are progressing, and then everything would change again. This happened with the Claude Code launch, Opus 4.5 announcement, OpenClaw going viral, and so on. But something else is happening now. For the first time since ChatGPT launched, there seems to be some consensus emerging on what the future holds (at least for software development). While most companies will continue to have multiple SDLCs, it’s clear where the cutting edge lies. This is good because it finally allows us to take a deep breath and consider how to approach Security in this new landscape. In other words, we’ve moved from the world of unknown-unknowns to the land of known-unknowns. We know what we don’t know, and the next step is to figure out the answers to these unknowns.

SDLC trends

Before we get into the tech changes, a side note: A common theme among the companies I talk to is that larger changes are coming in how teams will be structured to better leverage AI. Companies are questioning every organizational “truth” that hinders AI from moving faster. From span of control to pod sizes to stand-ups to sprint planning, all established norms are up for debate. In the long term, I think this would lead to a new & improved paradigm for structuring software engineering teams. In the short term, it will cause a lot of anxiety and uncertainty for these teams. As we all figure out how to reach the promise land of higher productivity and better outcomes, it is important to recognize that social change is underway and that there will be winners and losers as a result. And unfortunately, some of the losses will be permanent. Economists may call this creative destruction, but as members of the same industry, it is important for all of us (the winners, the losers, and the ones unaffected by it) to lead with empathy.<br>That said, here are specific things that have changed in most software development shops:<br>The number of PRs filed has ballooned to crazy levels. This has had a trickle-down effect on what gets pushed to production, too. Last year, we saw a lot of vibe-coded projects pushed by AI coding tools. That’s changed now. AI-coding agents (either through local harnesses like Claude Code or cloud-deployed coding agents in mature orgs) are shipping to prod in important applications. Velocity is truly up across the board

Code Reviews are still a nightmare. You are stuck between YOLO and deal with it later (which puts pressure on senior engineers and security teams), or spend a lot of time reviewing AI slop (which also puts pressure on senior engineers and security teams)<br>A corollary (and we will talk about this later, too) is that PRs are now a terrible place to “start” governance checks. It’s too late.

The AI labs have thrown their hats firmly in the ring. They’ve proposed various solutions to the problems created by their products and to long-standing security problems, too (1 2 3 4 ). Finally, they’ve also mastered the art of FUD, which would put the worst Cybersecurity salesmen to shame (Having said that, I have to mention that Fable was awesome, and I cannot wait for it to be back)

Security teams are all in on AI, and AI labs + cloud providers deserve a pat on the back. Questions like “but where is the data stored?” or “will you use my data for training?” have been summarily answered. Security teams and Security companies (including ours) have started to reimagine every solution with AI firmly in the middle

PRDs have gotten the full monty treatment. Claims range from “we are completely replacing PRDs with prototypes” to “we are writing every decision down in .md files thanks to AI” (Here’s an excellent overview of Spec Drive Development on martinfowler.com). All of them are kinda lying. Documents haven’t gone away, and the only ones reading all those AI-generated .md files are other agents. Ultimately, the jury is still out on how people document and discuss “intent”. My personal opinion is that “writing to inform” (product documentation, how-to guides) will be replaced entirely by AI-generated documents, and...

security teams sdlc from coding agents

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.