TL;DR: “Private by obscurity” has been dissolved. Internal tools often have layering boundaries that are enforced only by convention. It’s natural to assume a “high trust environment”, where privileged actions are discouraged by obscurity and goodwill instead of hard technical boundaries. Coding agents have dissolved this obscurity, and as a result internal platform engineering now really demands a security mindset.1 During a recent codebase audit, a coworker and I discovered an unfortunate set of private APIs my team owns that were being used in creative and unintended ways, outside the official interfaces. Much of the code that introduced these unsanctioned dependencies was AI generated2. This was one more datapoint among many that, especially in large monolith codebases and in large enterprises, coding agents have changed how platform teams need to operate. This particular audit exposed two classes of issue of internal API leakage: We have pseudo-internal APIs opened for narrow…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.