<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
        <title>Using LLMs to Secure Source Code — Eugene Yan, Anthropic</title>
        <link>https://video.ut0pia.org/videos/watch/f60c9f5f-9f71-4bc1-b549-905401bb1e00</link>
        <description>Mozilla shipped about 20 security fixes a month across Firefox in early 2025. In April it shipped 400, a 20x jump, and it credited roughly two thirds of them to a frontier model. That is the shift Eugene Yan came to describe: models are now finding and fixing real vulnerabilities at scale. Anthropic's own scan of more than a thousand open source repos surfaced 6,200 high or critical issues out of 23,000 candidates, reported 1,600 to maintainers, and saw about 100 patched upstream. Finding bugs, it turns out, is no longer the hard part. The bottleneck has moved to verifying, triaging, and patching them. The talk walks a six step workflow through one running example: a five line order lookup with a SQL injection hiding in a Python string. The two setup steps are a threat model and a sandbox. A written threat model alone pushes the true positive rate to 90%, because a model has great context of the code but poor context of the system, all the design decisions that live only in someone's head. The four loop steps read like a machine learning pipeline: discovery optimizes for recall, then a separate verification agent, kept independent and adversarial so it never sees the discovery reasoning, optimizes for precision by detonating the exploit in a fresh container. Triage protects the scarcest resource, engineer attention, and patching closes the loop so the same bug cannot return. His parting advice: start this week on open source dependencies, keep your hands on the wheel before automating, and remember that scanning was never the bottleneck. Speaker info: https://x.com/eugeneyan, https://github.com/eugeneyan, https://eugeneyan.com, Timestamps: 0:00 - Working with security teams to find and fix vulnerabilities 0:49 - Three trends in model security capability 1:16 - Cybersecurity benchmarks and the step jump in capability 1:54 - Mozilla's 20x jump in monthly security fixes 2:44 - Log4Shell, Heartbleed, and why this matters 3:22 - Anthropic's scan of a thousand open source repos 3:35 - The bottleneck shifts to verify, triage, and patch 3:48 - Why agentic harnesses changed the game 4:29 - The six step workflow 5:31 - A running example: the order service 5:45 - Step 1: the threat model and 90% true positives 7:42 - Step 2: the sandbox for isolation and reproducibility 9:24 - Step 3: discovery and the five line SQL injection 11:44 - Step 4: independent adversarial verification 13:36 - Step 5: triage and the scarcity of engineer attention 15:52 - Step 6: patching and closing the loop 17:19 - It all looks like a machine learning pipeline 17:43 - The non technical bottlenecks are harder 18:47 - Organizational bottlenecks: routing, severity, bandwidth 20:05 - Three takeaways and how to start this week</description>
        <lastBuildDate>Sat, 18 Jul 2026 05:30:27 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>PeerTube - https://video.ut0pia.org</generator>
        <image>
            <title>Using LLMs to Secure Source Code — Eugene Yan, Anthropic</title>
            <url>https://video.ut0pia.org/lazy-static/avatars/0287a09a-aae7-4840-9843-b416426e7046.webp</url>
            <link>https://video.ut0pia.org/videos/watch/f60c9f5f-9f71-4bc1-b549-905401bb1e00</link>
        </image>
        <copyright>All rights reserved, unless otherwise specified in the terms specified at https://video.ut0pia.org/about and potential licenses granted by each content's rightholder.</copyright>
        <atom:link href="https://video.ut0pia.org/feeds/video-comments.xml?videoId=f60c9f5f-9f71-4bc1-b549-905401bb1e00" rel="self" type="application/rss+xml"/>
    </channel>
</rss>