Episode 5: AWS Kiro

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/e1/43/a1/e143a140-7348-3128-e262-019cbdd8749d/mza_3453023702255804512.jpg/600x600bb.jpg

Before The Commit

Danny Gershman, Dustin Hilgaertner

18 episodes

6 days ago

AI is writing your code. Who's watching the AI? Before The Commit explores AI coding security, emerging threats, and the trends reshaping software development. Hosts Danny Gershman and Dustin Hilgaertner break down threat models, prompt injection, shadow AI, and practical defenses — drawing from experience across defense, fintech, and enterprise environments. Companion to the book Before The Commit: Securing AI in the Age of Autonomous Code. No hype, just tactical insight for developers, security engineers, and leaders building in the AI era.

Technology

RSS

All content for Before The Commit is the property of Danny Gershman, Dustin Hilgaertner and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/44033863/44033863-1752004425161-c1ba27a4d2e0e.jpg

Episode 5: AWS Kiro

Before The Commit

1 hour 15 minutes 55 seconds

4 months ago

Episode 5: AWS Kiro

Before the Commit Episode 5 Summary

Hosts Dustin Hillgartner and co-host discuss Amazon's Kiro (pronounced "Kira Code" or "Cairo Code"), AWS history, AI coding security, and news on AI browsers and emotional distress.

AWS Origins and AI Impact: Amazon started as a 2000s bookstore; hosts recall buying used textbooks. To scale, it built data centers, launching AWS in 2006 with S3 (storage) and EC2 (compute). This revolutionized dev: bypassed IT gatekeepers, enabled API-driven infra via Terraform. Solo devs could launch hits like Facebook. Now, AWS rivals Amazon's e-commerce revenue. AWS CEO: AI boosts devs (80% use it), enhances juniors—not replaces. In booms, more hiring; downturns, efficiency without burnout. Co-host shares X banner: him in Newark data center upgrading DB pre-cloud.

Q Developer Review: Invite-only (easy access); defaults to Claude 3.5 Sonnet (public or Bedrock). GUI-focused like Cursor, not background like Claude Code. Excels in early dev cycle: wizard for Gherkin requirements (user stories + acceptance criteria, e.g., "As player, want [feature] so [benefit]; Given/When/Then"). Then design doc with Mermaid diagrams, classes/patterns. Generates dependency-task Markdown list with VS Code buttons—best seen, topping Claude's single MD or Cursor rules. Autopilot (default) enables edits. Strong on blank projects/initial commits; weak on tests/deployment (manual needed). Bugs: disconnects, file desyncs, npm test quirks. High token use: 80% trial burned fast, ~$100-150/mo for heavy devs—pricier than Claude. Immature on legacy/incrementals vs. Claude. Top GUI AI IDE for planning; learning curve like biking. Beta for feedback/hype.

Security Threats: AI agents run bash/shell cmds (e.g., npm, kubectl). Risks: rm -rf wipes, Kubernetes deletes. No human self-preservation; hack-prone. Solutions: Claude hooks (pre/post-prompt/tool sanitize, redact keys). Settings: user/global (auto-run tests), project-local, repo-shared (deny cmds, lock providers). MCP (next ep): open protocol for LLM tools (e.g., web search for dates, Calendar events). Vendor risk; hooks sanitize APIs (Swagger-like docs for reasoning). Least-privilege: scope skills (list pods vs. rollouts).

News or Noise: 60% Google searches zero-click; Perplexity browser (Meta interest); Cloudflare crawl fees. Sites as LLM seeds? OpenAI tests Chromium AI browser for Mac, agentic ChatGPT as OS—URL-less. Debate: Unneeded (API panes better than browser logins); iPad analogy (co-host underuses his 5yo as dev). Consumers want automation; future: AI-personalized sites, but now lacks curation (YouTube lingers). Traffic: 10% YoY Google drop (May-Jun 2025), non-news 14% (some 25%)—AI Overviews cannibalize ads. Google delayed fearing this; should've AI-first, subscription pivot. Search now "DNS"; curate marketplaces (Shopping/images). Ads future: merit/earned (influencers); LLM oligopoly (free w/ inline ads, paid clean); subsidies end like old ad-click dial-up. Hot takes: Billboards/TV back; no closed venues.

Emotional Distress: NYT on teen suicide via ChatGPT; OpenAI blog: Scale hits crises—not for engagement, but help. Safeguards: Empathetic, refers 988 (US), Samaritans (UK), findahelpline.com. Delays if early signals. LLMs sounding boards (host used for advice), but vulnerable risk reinforcement/sycophancy/hallucinations—youth "friendships" (roasts, crushes). Black Mirror "Be Right Back": Perfect robot despised. Gates: No AI for humanitarian. Bridge to humans (anonymous on-ramp), but irreplaceable bonds. Kudos OpenAI; faster detection/live calls needed.