Skip to main content

4 posts tagged with "AppSec"

Application security programs, processes, and tooling

View All Tags

Guardrails vs Guidelines

· 6 min read

In the rush to integrate generative AI into the software development lifecycle, engineering teams frequently confuse two distinct operational concepts: guardrails and guidelines. To put it simply, a guideline advises: it's soft natural-language context, like an AGENTS.md or Skills file, that the model may or may not act on. A guardrail gates: it's a firm, automated constraint that forces an explicit, binary pass/fail and blocks on failure. Relying on soft guidelines for critical validation is why automated code reviews are risky. They're non-deterministic and quietly ignored.

The Ceiling for DIY Security Reviews

· 5 min read

Every security team is now running the same debate: build your own AI security review, or buy one. You drop a coding agent into CI, it finds real issues, rerun the same PR and you get different findings, different severities, no memory of last triage, no audit trail for AppSec. Get a better model and you get sharper findings but it won't close the gap. The real question isn't whether an LLM can find issues. It's whether you back yourself to build a great harness. That takes eval infrastructure, state, and the kind of engineering Cloudflare, Rogo, and Anthropic are writing blog posts about. Most teams don't have it. That is the ceiling.