ShipTalk - SRE, DevOps, Platform Engineering, Software Delivery
ShipTalk is the podcast series on the ins, outs, ups, and downs of software delivery. This series dives into the vast ocean Software Delivery, bringing aboard industry tech leaders, seasoned engineers, and insightful customers to navigate through the currents of the ever-evolving software landscape. Each session explores the real-world challenges and victories encountered by today’s tech innovators.
Whether you’re an Engineering Manager, Software Engineer, or an enthusiast in Software delivery is your interest, you’ll gain invaluable insights, and equip yourself with the knowledge to sail through the complex waters of software delivery.
Our seasoned guests are here to share their stories, shining a light on the do's, don’ts, and the “I wish I knew” of the tech world. If you would like to be a guest on ShipTalk, send an e-mail to podcast@shiptalk.io. Be sure to check out our sponsor's website - Harness.io
ShipTalk - SRE, DevOps, Platform Engineering, Software Delivery
AI for Security vs Security for AI: From IBM Master Inventor to Microsoft AI Architect
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Dewan Ahmed sits down with Fatih Bulut, AI Architect at Microsoft and former IBM Research Master Inventor, to separate hype from reality in AI for software delivery and cybersecurity.
Fatih clarifies AI for security vs security for AI, walks through detection engineering as real software engineering, and explains proactive defense across an attack’s phases. He digs into the hard part of shipping: execution, product alignment, and tight feedback loops with customers. On code generation, he calls out failure modes like plausible but wrong outputs and hard coded shortcuts, and raises open questions about responsibility and auditability when AI writes code.
The pair map AI across the SDLC, from pipeline generation and troubleshooting to vulnerability triage, then explore transformer limits with huge telemetry and why verifiable tasks such as code and math are near term wins. Fatih remains bullish on AI where outputs are testable and where context usage actually works at scale.
WEBVTT
1
00:00:06.530 --> 00:00:21.509
Dewan Ahmed: Hello, hello! Welcome to another episode of ShipTalk Podcast, where we talk about the ins and outs, ups and downs of software delivery. I'm your host, Dewan Ahmed, and today I'm delighted to welcome Fatih Bulut.
2
00:00:21.550 --> 00:00:29.279
Dewan Ahmed: AI architect at Microsoft, working at the intersection of cloud, security, and AI.
3
00:00:29.350 --> 00:00:35.890
Dewan Ahmed: Building systems that actually work, not just dazzling proof of concept. Welcome, Fatih.
4
00:00:37.200 --> 00:00:38.930
Fatih Bulut: Hi, Delvin, glad to be here.
5
00:00:39.200 --> 00:00:41.170
Dewan Ahmed: Where are you dialing from, Fatih?
6
00:00:41.930 --> 00:00:47.019
Fatih Bulut: I… I'm based in Boston, Massachusetts, yeah.
7
00:00:47.290 --> 00:01:06.630
Dewan Ahmed: Okay, not too far from here, I'm in New Brunswick, and it's not September yet, but it was single digit last night. When I say single digit, for my friends in the down south, I have to say, I do in Celsius, so whenever I hear Fahrenheit, my brain goes.
8
00:01:07.110 --> 00:01:12.390
Dewan Ahmed: off, so I have to do some conversion. So I guess, you can, you know.
9
00:01:12.390 --> 00:01:12.740
Fatih Bulut: Yeah.
10
00:01:12.740 --> 00:01:13.800
Dewan Ahmed: Fahrenheit.
11
00:01:14.430 --> 00:01:30.559
Fatih Bulut: I mean, I can't say it in Fahrenheit. It was a hot topic in our household yesterday as well. My parents are here from Turkey, and they're like, in August, this shouldn't be that cold, actually, you know? Is this, like, normal? It was cold yesterday, yeah.
12
00:01:30.560 --> 00:01:35.019
Dewan Ahmed: Yeah, yeah, yeah. Well, we only get a few months of summer.
13
00:01:35.180 --> 00:01:51.500
Dewan Ahmed: So, I was checking your LinkedIn, and I saw that we have a common background back in the IBM days. So, I'm gonna get started there. So, we both spent time at IBM, different teams, but same giant playground.
14
00:01:51.750 --> 00:01:53.950
Dewan Ahmed: How is your IBM experience like?
15
00:01:55.130 --> 00:02:02.790
Fatih Bulut: It, you know, short, it was great. It was my, first employer after my PhD,
16
00:02:02.830 --> 00:02:18.039
Fatih Bulut: I worked at the intersection of AI for security and compliance for, 8 years. I really enjoyed my time. IBM has been a… I mean, IBM was a really big company, and right now it's still a big company.
17
00:02:18.040 --> 00:02:28.270
Fatih Bulut: And, it's a foundational company to everything that even we use today. If you think about, like.
18
00:02:28.410 --> 00:02:35.280
Fatih Bulut: what IBM invented, you know, is, like, the ATMs that we use in banks.
19
00:02:35.430 --> 00:02:53.320
Fatih Bulut: those are invented by IBM, like DRAM, even SQL, you know, and I think Fortron. There are lots of things IBM invented and put into our life, you know, PC, right? That…
20
00:02:53.320 --> 00:03:02.419
Fatih Bulut: you know, it's a foundational to everything. It was obviously a very big company, and lots of, units.
21
00:03:02.450 --> 00:03:10.569
Fatih Bulut: And I was mostly part of the research part, and IBM has a very strong research culture.
22
00:03:10.570 --> 00:03:24.550
Fatih Bulut: It's probably, you know, one of the few companies left in U.S, which has a dedicated research unit. Over time, I realized, you know, we are working
23
00:03:24.550 --> 00:03:37.969
Fatih Bulut: more closely with the business units, but it was an enjoyable moment, you know, I truly enjoy my time. It was a rewarding experience working with really good people.
24
00:03:37.970 --> 00:03:50.750
Fatih Bulut: I still talk with, you know, some of my friends there. It was a really good company, I would say, and it has a marks on my career.
25
00:03:51.390 --> 00:04:08.889
Dewan Ahmed: On the topic of invention, IBM actually invented a cheese cutter. So, when I, was working at the Markham Software Lab, there was a giant cheese cutter, and there was, like, IBM on it. Like, I could never imagine that, IBM inventing a cheese cutter. Did you know that, Fati?
26
00:04:09.120 --> 00:04:14.980
Fatih Bulut: Yeah, I mean, it… I saw some of these machines, you know, in some of the IBM locations, and …
27
00:04:15.040 --> 00:04:22.350
Fatih Bulut: It was really surprising, you know? You think you're working for a tech company, and you see that, you think, like, you know, maybe not, but…
28
00:04:22.380 --> 00:04:37.760
Fatih Bulut: you know, this was, like, maybe 50, 60 years ago, or 70 years ago. IBM is, like, more than a hundred years company, and, you know, they invented a lot of stuff, including, like, you know, tabulating, machine and all.
29
00:04:37.760 --> 00:04:43.310
Fatih Bulut: punch cards, like, all this stuff, right? I mean, it is, …
30
00:04:43.310 --> 00:04:51.000
Fatih Bulut: A company that also transformed itself over time, and many times, and probably they are…
31
00:04:51.000 --> 00:05:03.559
Fatih Bulut: you know, one of the such moments right now as well. So, yeah, I mean, when you work at IBM, the transformation is something that, you know, they talk about a lot.
32
00:05:03.620 --> 00:05:16.689
Fatih Bulut: Which I think keeps the company alive for such a long period. You know, if you compare to some other companies, that we… we talk probably more these days, but they're, you know, much younger companies.
33
00:05:17.700 --> 00:05:36.200
Dewan Ahmed: Yeah, and talking about IBM, Fati actually was a master inventor at IBM, so working at IBM, I know that that's a very prestigious level to reach at. Not many people can become a master inventor. If you could share with our viewers and listeners about what does a master inventor have to do to earn that title?
34
00:05:37.130 --> 00:05:55.800
Fatih Bulut: So it's a… it's a title that requires a few things. One is that you have to invent. Obviously, you have to submit patents, you have to file patents, and when you have… when you submit a patent, it goes through a review process, and then it will be filed.
35
00:05:55.800 --> 00:06:11.420
Fatih Bulut: drafted and filed, to the patent office. So that's one part of it, like, you have to make sure that you continuously invent. And then, one other thing is, you have to also mentor others as well.
36
00:06:11.420 --> 00:06:31.220
Fatih Bulut: So you need to make sure that the young generations and the people coming after you also, you know, start inventing as well, so that's also part of the evaluation, as far as I remember. So once you, you know, reach to some point where you have lots of patents.
37
00:06:31.220 --> 00:06:45.070
Fatih Bulut: And you start mentoring people, you know, teaching them how to submit and invent as well. So that's where you become eligible for becoming a master inventor.
38
00:06:45.070 --> 00:07:03.510
Fatih Bulut: So those are the two main steps, as far as I remember. One other thing I remember is that, like, you know, it's a… it's not a one-time process, so you have to, sort of, like, re-certificate every three years, as far as… if I remember correctly. So it's, you know, it's for a period. You're a master inventor.
39
00:07:05.120 --> 00:07:19.660
Dewan Ahmed: Talking about master inventor, so one topic that people fail to master is the difference between AI for security and security for AI. Even I don't quite get the exact concept.
40
00:07:19.660 --> 00:07:27.120
Dewan Ahmed: So, you were the best person to explain to our listeners, where do you focus, and what are the differences between these two?
41
00:07:27.860 --> 00:07:37.519
Fatih Bulut: Yeah, definitely. I mean, it's a very confusing topic, you know, because two words, like, you know, we use interchangeably in different places. So…
42
00:07:37.520 --> 00:07:49.239
Fatih Bulut: My focus is mostly on, AI for security, and security itself is a, you know, really broad field, where defenders.
43
00:07:49.240 --> 00:07:56.999
Fatih Bulut: try to protect enterprises, companies, environments, cloud or not.
44
00:07:57.000 --> 00:08:09.210
Fatih Bulut: from bad actors, right? So, it's a broad field, and there is the idea of, like, applying AI, or bringing AI, infusing AI into the security.
45
00:08:09.210 --> 00:08:23.240
Fatih Bulut: So this applies to, for example, let's take security operations center SOC into the account. How do we make the processes more efficient? How do we automate some of this using AI?
46
00:08:23.240 --> 00:08:38.999
Fatih Bulut: And these are, typical, you know, AI problems that you may also find some alignment in different areas as well. And, so this is for AI for security, bringing AI into the security. But then, obviously.
47
00:08:39.179 --> 00:08:53.820
Fatih Bulut: AI itself needs security as well, so that is the part of security for AI. So when we deploy the AI, we need to make sure that it's secure, and, you know, there are lots of attack vectors.
48
00:08:53.820 --> 00:09:05.090
Fatih Bulut: That people, today, take advantage of. You know, for example, putting some prompts into their websites, which,
49
00:09:05.090 --> 00:09:09.579
Fatih Bulut: Which is basically not something you would like in a prompt.
50
00:09:09.580 --> 00:09:29.510
Fatih Bulut: But when you read that website and automatically end up putting it into the context in your prompt, then it becomes your prompt. So, now that it can be a prompt injection attack, for example, to extract some information, such as system prompts and, you know, such details.
51
00:09:29.510 --> 00:09:32.419
Fatih Bulut: Even some other sticks that you're putting into the prompt.
52
00:09:32.420 --> 00:09:46.040
Fatih Bulut: At that point of time. So… so there is, that part of, like, securing the AI itself, so that's the, that's the second part, security for AI. So that's the, you know, the difference in short.
53
00:09:47.290 --> 00:10:10.170
Dewan Ahmed: One other… since we're on the topic of similarities and differences, this is about software delivery, and the theme for Season 4 is AI meets software delivery. How do you draw the parallel between the practices you are mentioning in security space and how we do DevOps and SRE? Do you see similarities, differences?
54
00:10:10.170 --> 00:10:13.899
Dewan Ahmed: Do the fundamentals of SDLC still hold?
55
00:10:14.780 --> 00:10:33.439
Fatih Bulut: I think the fundamentals still holds, in my opinion. So let's take, for example, detection engineering. When we say detection, it's basically a piece of code, and sometimes this piece of code can be as small as a
56
00:10:33.440 --> 00:10:42.190
Fatih Bulut: you know, a SQL sort of, like, query. Sometimes it can be a gigantic, like, query,
57
00:10:42.190 --> 00:10:58.519
Fatih Bulut: Sometimes this is rule-based, sometimes this can be an ML-based, machine learning-based behavioral detection code as well. So it varies a little bit, but at the end, it's a little bit smaller than, like, you know, the typical software.
58
00:10:58.520 --> 00:11:13.869
Fatih Bulut: product, you know. The idea of detection engineering is that you have some, idea around some of the threat vectors that you want to protect your organization.
59
00:11:13.870 --> 00:11:30.909
Fatih Bulut: And these threat vectors can come from a variety of sources. Some of the sources are state-sponsored actors, like threat actors. They would like to get into your environment, take advantage of, like, you know, some of the data and all.
60
00:11:30.910 --> 00:11:39.250
Fatih Bulut: So that's one sort of, like, you know, area that you would like to monitor. The second is financially motivated threat actors. These are
61
00:11:39.250 --> 00:11:54.039
Fatih Bulut: actors who would like to, you know, put some ransomware in your environment and, you know, make some money. There are, like, all sorts of hackers as well, and you would like to, you know, understand your threat
62
00:11:54.100 --> 00:12:11.940
Fatih Bulut: landscape first. Once you understand your landscape, you would like to make sure that whenever these behaviors of hacking, and this could be in variety of ways, if it happens, you would like to catch them.
63
00:12:12.020 --> 00:12:20.689
Fatih Bulut: So to catch them, you rely on the telemetry and logs, which is basically bread and butter in security.
64
00:12:20.990 --> 00:12:29.719
Fatih Bulut: And, and… and to be able to analyze this, telemetry and logs, you need some piece of software, such as deduction code.
65
00:12:29.720 --> 00:12:43.339
Fatih Bulut: to analyze these logs and look for patterns. For example, for a password spray attack, you know, you would see logs that, you know, passwords, different passwords are, like, entered multiple times.
66
00:12:43.340 --> 00:13:00.220
Fatih Bulut: So if you catch such things, you look for such things in the detection code, and if you catch it, you generate an alert. So that's sort of like a typical detection engineering, and it's basically, you need to develop a code.
67
00:13:00.250 --> 00:13:06.410
Fatih Bulut: It's very similar to, if we think about it, you know, how we develop,
68
00:13:06.570 --> 00:13:13.429
Fatih Bulut: you know, software features as well. So we have some features, and then that features turn into some code.
69
00:13:13.430 --> 00:13:36.930
Fatih Bulut: by a developer, and then the developer needs to test this code, and then make sure that the quality is there, and then it goes through the CICD and all, and then it's, you know, shipped into the production. So similarly, when you generate deduction code, you want to make sure that the quality is there in terms of all the tests and all.
70
00:13:36.930 --> 00:13:48.480
Fatih Bulut: And then it, you know, goes through the test and then went into the CICD and the production. One difference that I can tell is that, like, you know, when you're shipping a code.
71
00:13:48.480 --> 00:14:02.099
Fatih Bulut: In a software, your typical metrics are probably, like, you know, if the feature is complete, if, you know, the thing that you would like to do is there or not, and maybe it's binary, not all the time.
72
00:14:02.100 --> 00:14:19.030
Fatih Bulut: But in deduction engineering, your typical metrics are a little bit different, because what you're interested in here is, first of all, do you catch the behaviors that you're targeting or not? So that's sort of like, you know, catch rate, maybe?
73
00:14:19.120 --> 00:14:37.890
Fatih Bulut: The second thing is, you would like to make sure that you're not generating lots of alerts. So you may write a deduction that generates lots… that catch lots of such behaviors, but if you generate lots of alerts, then it's not very useful either, because,
74
00:14:38.030 --> 00:14:51.510
Fatih Bulut: Because the Security Operations Center, where they will look into the alerts and incidents and will try to make sense of it. If there are lots of them, they will basically reduce the value of the alerts.
75
00:14:51.510 --> 00:15:01.560
Fatih Bulut: So that's why you… your… one of your metrics is to make sure that you're not generating lots of alerts, your signal-to-noise ratio is high.
76
00:15:01.560 --> 00:15:08.440
Fatih Bulut: So it's, you know, somewhat different, right, if you compare to the software development lifecycle.
77
00:15:08.440 --> 00:15:23.089
Fatih Bulut: But at the end, you know, it's both software, so you gotta make sure that the quality is there, tests are there, and everything is there. Maybe the beginning and, you know, the end differs a little bit in terms of the research and the metrics that you are focusing on.
78
00:15:23.810 --> 00:15:40.249
Dewan Ahmed: Yeah, I could… I could… when you're explaining that, I could relate to how we're designing, like, pipelines, like CICD pipelines, so when I'm trying to deploy to production, I could have some metrics, so let's say I have a CV, or Continuous Verification Module.
79
00:15:40.250 --> 00:16:00.560
Dewan Ahmed: which is looking at certain metrics, like CPU usage, call per minute, and if it reaches a certain threshold, so let's say I'm not going to allow that artifact to be deployed, and it can be manual, someone can get a notification, it can be automated, it… the pipeline will just revert if there's a rollback.
80
00:16:00.560 --> 00:16:08.800
Dewan Ahmed: One other thing I'm thinking is proactive versus reactive. So, so looking at certain metrics and trying to prepare in advance
81
00:16:08.960 --> 00:16:18.220
Dewan Ahmed: versus something happened in production, now how can we quickly revert that? So, in the security space, have you…
82
00:16:18.660 --> 00:16:28.279
Dewan Ahmed: Can you think of something similar of a proactive versus reactive? Like, can you… can you find a pattern of these bad actors beforehand, before something happens?
83
00:16:29.150 --> 00:16:47.399
Fatih Bulut: Yeah, I mean, that's pretty much, like, you know, the idea in detection engineering. So, you… you really want to be prepared when that time comes, you really catch them. And usually, when an attack happens, it doesn't happen in, like, one…
84
00:16:47.410 --> 00:16:50.700
Fatih Bulut: Behavior, so it happens in multiple phases.
85
00:16:50.790 --> 00:16:55.179
Fatih Bulut: Some attackers, like, you know, just go into the system.
86
00:16:55.260 --> 00:17:14.669
Fatih Bulut: let's say they compromise the password of a user, they get into the system, and then they move into the other machine from there and, you know, take advantage of some of the other vulnerabilities. So, it's basically… there are phases, right? It's not just one action.
87
00:17:14.740 --> 00:17:28.239
Fatih Bulut: And there… from a defender's perspective, you have multiple opportunities there. Like, let's say if you… if you… if you couldn't catch them in the first place, for multiple reasons, then there is the second opportunity.
88
00:17:28.250 --> 00:17:40.939
Fatih Bulut: And sometimes it can get tricky because, some of the attackers are, really complicated and, sophisticated in a way that they can
89
00:17:40.990 --> 00:17:53.379
Fatih Bulut: stay stealthy for a very long time, waiting for the moment, you know? So those are very complex use cases, but at the end, like, there are multiple opportunities, and …
90
00:17:53.380 --> 00:18:04.320
Fatih Bulut: And you want to catch them, like, you know, in one of these instances. As early as possible, it's the best way to catch it, but if it doesn't happen, there will be other opportunities as well.
91
00:18:04.320 --> 00:18:19.140
Fatih Bulut: When it comes to the novel attacks, like, you know, maybe, those are the areas where I think, AI, ML sort of solutions, can really, really help, because, the…
92
00:18:19.490 --> 00:18:22.430
Fatih Bulut: Sort of, like, attacks that we discussed, …
93
00:18:22.740 --> 00:18:32.780
Fatih Bulut: for example, password spray and all. These are very well-known attacks, and, you know, you can write deductions to detect those.
94
00:18:32.780 --> 00:18:45.510
Fatih Bulut: But then there are always, like, noble attacks that, attackers can come up with. How do you detect those? You know, if you haven't seen those before, how can we be more proactive to those?
95
00:18:45.510 --> 00:19:04.110
Fatih Bulut: I think it's, it's an open question, and, I think AI, LLMs with the cognitive skills, reasoning capabilities, presenting a lot of opportunities in that space, to be more proactive. But in general, you know, security is a, I think.
96
00:19:04.120 --> 00:19:13.369
Fatih Bulut: It's a very proactive, business where, you have your deductions, and if somebody acts, you know, you…
97
00:19:13.370 --> 00:19:25.319
Fatih Bulut: basically, create an alert, and mobilize the teams, Security Operations Center, whether to mitigate it, disrupt it, and all sort of, like, you know,
98
00:19:25.390 --> 00:19:26.640
Fatih Bulut: mitigations.
99
00:19:28.050 --> 00:19:34.350
Dewan Ahmed: Now, you have taken ideas from prototypes to general availability.
100
00:19:34.620 --> 00:19:48.279
Dewan Ahmed: a giant leap that a lot of people underestimate. What was the hardest part into turning something which is just in the research phase from something people can actually use?
101
00:19:49.510 --> 00:20:01.969
Fatih Bulut: Yeah, I mean, great question, though. Like, there are a couple of things. First is that, I think, like, you know, people have a lot of ideas, and,
102
00:20:02.260 --> 00:20:10.769
Fatih Bulut: The main part that makes a difference in terms of having ideas and getting that into the people's hands is the execution.
103
00:20:11.060 --> 00:20:23.300
Fatih Bulut: And when you left the execution, a lot of ideas basically just stay in the paper, in PowerPoints, Word documents, or, you know, wherever it's written.
104
00:20:23.390 --> 00:20:40.529
Fatih Bulut: So I see that, like, you know, lots of people have ideas, but to get to the point where it's actually useful, you really need to get this into the hands of the practitioners, whether this is a customer, or if you're developing this for, you know, for internal purposes.
105
00:20:40.530 --> 00:20:43.790
Fatih Bulut: Whatever the, you know, customers in this case.
106
00:20:43.790 --> 00:20:54.909
Fatih Bulut: It takes a lot of efforts to get a research idea into the practitioner's hands. First of all, you have to deal with,
107
00:20:54.920 --> 00:21:09.730
Fatih Bulut: the… the problem of, like, you know, proving that, the idea itself worth investment. So, you know, there are lots of scrutiny around that. Some people may say that, you know, no, this is not a good idea.
108
00:21:09.730 --> 00:21:25.289
Fatih Bulut: And, you know, there are such things. So you have to make sure that you have the alignment. The second thing I would say is that, especially working on the research side, you have to make sure that you really understand the products
109
00:21:25.310 --> 00:21:41.500
Fatih Bulut: the customer sides, you can't just, like, operate in silo and solve customer problems. So you have to make sure that, like, you know, you work very closely with the product teams and engineering teams, understanding their limitations.
110
00:21:41.500 --> 00:21:56.439
Fatih Bulut: Sometimes they don't support, you know, certain functionalities that you would need in your solution, for example. So, you want to make sure that, you know, you build your prototype and solution based on that.
111
00:21:56.590 --> 00:22:12.640
Fatih Bulut: And also working very closely with the customers, and, you know, understanding their pain points, and revising, iterating, getting to the point, you know, things are useful, because when you build a POC,
112
00:22:12.640 --> 00:22:25.140
Fatih Bulut: And you may think that it works, and it solves the problem, but, you know, when you actually put this into the customer hands, then you started to realize that
113
00:22:25.260 --> 00:22:44.579
Fatih Bulut: It actually doesn't solve the problem, you know, maybe it creates more problems, and it's very important that, like, you build and establish that feedback loop with the customers, so that you can iterate, and then make the solution, you know, much better.
114
00:22:44.580 --> 00:23:03.000
Fatih Bulut: I think all of this needs to come together to get, you know, an idea from early research ideas to the production, to the customer hands. All of this needs to come together, and it's a… it's a challenging thing to do, but it's a necessity.
115
00:23:04.360 --> 00:23:12.119
Dewan Ahmed: Couldn't agree more. And one of the challenging things is how we do software delivery. How we take a piece of code.
116
00:23:12.120 --> 00:23:31.370
Dewan Ahmed: turn that into software and get it to customers' hands. How do you see AI affecting software delivery? Does it add complexity? Does it make things simple? And you can draw parallels between, like, your experience on how you're using AI for security and how you see AI in software delivery.
117
00:23:32.100 --> 00:23:38.409
Fatih Bulut: I think this is a, you know, this is a very hot topic right now that people discuss.
118
00:23:38.470 --> 00:23:49.900
Fatih Bulut: there are, like, multiple, I think, phases in software development, right? First, you have to develop the software, and right now, there are lots of buzz around using
119
00:23:49.940 --> 00:24:07.500
Fatih Bulut: AI agents, like, you know, Cursor, Copilot, and all, to use them to generate the code. I mean, in my experience, I can see that, you know, they're really powerful, they can generate quotes that actually work.
120
00:24:07.520 --> 00:24:17.849
Fatih Bulut: But in the meantime, I also see limitations too. When the codebase gets larger, for example, they start to struggle.
121
00:24:17.880 --> 00:24:24.310
Fatih Bulut: And there are also patterns that I see sometimes can be annoying, like, …
122
00:24:24.660 --> 00:24:34.649
Fatih Bulut: you know, it's… it's… I use this, like, it's a plausible, but wrong, you know? They, for example, generate quotes,
123
00:24:34.760 --> 00:24:39.650
Fatih Bulut: To, to support, like, legacy features.
124
00:24:39.740 --> 00:24:55.310
Fatih Bulut: Which you don't want to support sometimes, because you're iterating, and you instruct, like, you know, the agent to, not even, like, to support it, but it, you know, it tries to support it, so that's one of the annoying points I can see.
125
00:24:55.310 --> 00:25:01.550
Fatih Bulut: The other thing is, that, that I usually see is it's, …
126
00:25:01.690 --> 00:25:05.470
Fatih Bulut: It basically, it puts, …
127
00:25:05.660 --> 00:25:09.100
Fatih Bulut: Sometimes it can't solve the problem, …
128
00:25:09.250 --> 00:25:19.190
Fatih Bulut: But it puts some hard-coded, like, you know, solutions, somewhat like a, you know, workaround solution in, in…
129
00:25:19.190 --> 00:25:32.540
Fatih Bulut: in the agent's minds, I guess. It can't solve the problem, but, you know, maybe if I put this, like, hard-coded, like, strings and return this, it's gonna work, right? You think that if you don't look into that.
130
00:25:32.540 --> 00:25:50.740
Fatih Bulut: you may think that it's actually working, but actually, it's just, like, not the functionality that you want, it's a hard-coded string. So those are the issues, like, I think, you know, is, is real problems in, you know, software or code generation.
131
00:25:50.750 --> 00:25:57.770
Fatih Bulut: And, and we have to be very careful about this. But in the meantime,
132
00:25:58.010 --> 00:26:08.749
Fatih Bulut: Once you know that, like, how this works, some of the limitations, you become more cautious in terms of, becoming careful on these stuff, and,
133
00:26:08.750 --> 00:26:18.870
Fatih Bulut: and you take this into the account, and you generate and, you know, you work better with the agent. I can see that, like, you know, it improves over time.
134
00:26:18.910 --> 00:26:23.429
Fatih Bulut: So looking back to the, you know, GPT-3…
135
00:26:24.860 --> 00:26:31.960
Fatih Bulut: And then now coming into the, like, GPT-4 and 5, definitely AI, you know, has improved.
136
00:26:32.020 --> 00:26:45.240
Fatih Bulut: And, it generates more meaningful code and all. It's definitely useful, but we have to be careful because, at the end, if the generated codes
137
00:26:45.240 --> 00:26:53.289
Fatih Bulut: somebody has to, you know, look into that, somebody has to make sure that the quality is there, and, I think we are…
138
00:26:53.320 --> 00:27:12.159
Fatih Bulut: we're… we're not right there where we can just, like, use AI, and trust fully. But, you know, I think AI is there, and useful as a co-pilot. So that's, you know, where my opinion stands on this.
139
00:27:13.290 --> 00:27:16.849
Dewan Ahmed: Yeah, I agree. I see it as,
140
00:27:16.850 --> 00:27:35.740
Dewan Ahmed: helpful peer, sometimes a junior engineer, who'll do a lot of work for you, but at the end, it's your job as a senior engineer to ensure that the quality remains of the software you're delivering, because it's your responsibility.
141
00:27:36.080 --> 00:27:39.679
Fatih Bulut: And you also ask about, like, you know, how security, for example.
142
00:27:39.970 --> 00:27:59.570
Fatih Bulut: goes into that too, right? Some of the pieces are still missing. For example, if, as a developer, I use AI to generate the code, and if that code is vulnerable to something, like, who is responsible, you know, for that code? Is the
143
00:27:59.700 --> 00:28:08.749
Fatih Bulut: is the developer who committed that piece of code responsible? Obviously, there is some responsibility there.
144
00:28:08.750 --> 00:28:14.470
Fatih Bulut: But then, how do we audit this? How do we, go back and do forensic on this?
145
00:28:14.470 --> 00:28:31.209
Fatih Bulut: what actually went wrong, you know, what AI agent or LLMs, there are multiple options, even, like, using Copilot, you see multiple, like, LLMs and, you know, you can use. Which one actually was used?
146
00:28:31.210 --> 00:28:48.049
Fatih Bulut: How did this happen? Like, did I use an MCP server, get some more context? Maybe that was the point. So lots of, like, security issues there as well, like, how do we actually audit this? How do we make sure that, like, you know, if something goes wrong, we understand why?
147
00:28:48.050 --> 00:28:56.850
Fatih Bulut: And so these are, I think, still open questions, and, lots of security aspects that needs to come into the place.
148
00:28:56.850 --> 00:29:02.770
Fatih Bulut: And … but I think, you know, it's becoming more useful.
149
00:29:03.620 --> 00:29:19.920
Dewan Ahmed: Yeah, agreed. So, when we think of the whole SDLC, like, the life cycles from building software to building the artifact, delivering it, monitoring it, AI touches almost, like, every single bit. So, Fati, you talked about, like, code generation part.
150
00:29:19.920 --> 00:29:35.460
Dewan Ahmed: But what I see, customers using AI, or taking benefit from AI is, let's say they have to generate a pipeline. Harness AI, for example, in the platform, it gives you an option to generate a pipeline using AI. So you click a button, and it generates the whole pipeline for you.
151
00:29:35.460 --> 00:29:47.620
Dewan Ahmed: There might be any issues if you have any specific use cases, but an experienced user, so let's say a DevOps engineer, they'll know that, okay, it did 95% of my work, now I have to do some tweaking.
152
00:29:47.760 --> 00:30:02.660
Dewan Ahmed: I remember, like, 3 or 4 years ago, whenever, there is a failed pipeline, actually look at the pipeline logs. Like, just scroll through the logs, do a Command-F or some tail to find out what's the issue. Right now, there's a button, like.
153
00:30:02.660 --> 00:30:25.150
Dewan Ahmed: troubleshoot or find the issue for me. Again, with Harness AI, it reads your entire logs and tells you this is where maybe a package, maybe a version mismatch, and then you can… same thing with vulnerabilities. If there are vulnerabilities for your SBOM, it can find out this is the issue, and it also gives you remedies. So this is how I see
154
00:30:25.150 --> 00:30:36.199
Dewan Ahmed: AI helping people who already did these things by hand, and now just taking benefit from AI and automation versus someone completely new.
155
00:30:36.200 --> 00:30:47.209
Dewan Ahmed: We hear the term vibe coding, vibe coding all the way from development to deployment. For them, again, it might do most of the work, but if there's an issue.
156
00:30:47.280 --> 00:30:50.090
Dewan Ahmed: It, it won't, catch their eyes.
157
00:30:50.580 --> 00:30:53.730
Fatih Bulut: Yeah, definitely. I mean, …
158
00:30:53.890 --> 00:31:09.609
Fatih Bulut: I think one of the problems that we're currently facing with AI is definitely useful, but it also throws a lot of ideas as well. You know, for example, you have a code base, and you wanted to analyze this for issues.
159
00:31:09.700 --> 00:31:17.459
Fatih Bulut: And if you ask AI, it may find you some novel patterns, too. You know, in some instances, there are…
160
00:31:17.510 --> 00:31:31.799
Fatih Bulut: there are some, like, you know, papers and blog posts about that. But in the meantime, it also generates noises too, you know? It brings up issues that may not be a problem, actually, from a production perspective.
161
00:31:31.800 --> 00:31:40.400
Fatih Bulut: there's that problem as well. I think if we put the human at the co-pilot sit, you know, and working along with AI,
162
00:31:40.420 --> 00:31:58.579
Fatih Bulut: I think that's the… that's the way to approach this, at least for now. You know, in future, things may change, but for now, I think, you know, it's the best way to approach this. One of the problems that… I think the fundamental problem that I can see in AI today is the architecture itself.
163
00:31:58.580 --> 00:32:08.670
Fatih Bulut: And I mean, this is not my opinion, but some of the, you know, prominent figures in AI also tell this as well.
164
00:32:08.880 --> 00:32:27.329
Fatih Bulut: the transformer architecture, right? So that the architecture itself is the cause of some of the limitations. I can easily see that sometimes when I use LLMs, it overlooks information. Even though the context window gets larger and larger over time, now
165
00:32:27.330 --> 00:32:34.150
Fatih Bulut: you know, we are talking about millions of tokens. Still, I can see that, certain
166
00:32:34.150 --> 00:32:52.320
Fatih Bulut: information and instructions are not followed, even by the most powerful models that we, you know, use today. And these are some of the, like, biggest problems in security and operations as well, because the data volume is huge.
167
00:32:52.410 --> 00:33:15.499
Fatih Bulut: So, for example, when you deal with logs and telemetries, you know, whether this is for an operations incident, or this is for security, the volume is huge, and to be able to take advantage of AI and LLMs in that space, you have to really make sure that what you put into the prompt
168
00:33:15.550 --> 00:33:25.250
Fatih Bulut: As a context, you know, is the one that you would expect that you try to get something out of it.
169
00:33:25.310 --> 00:33:28.080
Fatih Bulut: So you, you need to really, you know.
170
00:33:28.790 --> 00:33:37.289
Fatih Bulut: put all the noise out of it. So there are some such limitations, but I think, you know, we're getting there. It's gonna get much better.
171
00:33:37.780 --> 00:33:50.910
Dewan Ahmed: Yeah, yeah, totally. I… it reminds me of the Stack Overflow days, that if I find a piece of code on Stack Overflow, it must be perfect to deploy to prod. So, similar to that, like, there might be…
172
00:33:51.300 --> 00:34:02.589
Dewan Ahmed: an overconfidence on the models we have right now. Like, AI is this magic that you spring all over, and then it must work. I think there has to be some sort of key way.
173
00:34:02.590 --> 00:34:24.830
Dewan Ahmed: QA in how we generate code, how we deliver that code, and I'm talking in the context of AI, because we are creating codes like never, ever. Never before. And this huge amount of code, like, who's actually making sure that there is some QA? Again, we can bring AI into some sort of, hopefully, like.
174
00:34:24.960 --> 00:34:41.639
Dewan Ahmed: AIQA, or similar systems, that'll make sure that, yes, the code you're generating, it matches the mark, or the things you're deploying, it also is free of certain vulnerabilities, is good for production. But I think this is a very interesting time, where
175
00:34:41.800 --> 00:34:46.620
Dewan Ahmed: Many engineering teams will make mistakes, and they'll learn from these mistakes.
176
00:34:47.360 --> 00:34:52.720
Fatih Bulut: Yeah, definitely. I mean, the… the… one of the main drivers
177
00:34:52.929 --> 00:35:01.410
Fatih Bulut: of, you know, using AI, I think it's coming from the business itself, you know? Where…
178
00:35:01.560 --> 00:35:19.279
Fatih Bulut: now that we have this powerful tool at our hands, everybody would like to get more features, you know, delivered, more products delivered, and I think that's fueling the use of AI a lot.
179
00:35:19.280 --> 00:35:33.400
Fatih Bulut: because people, I think, now realize that this is something that they can use to expedite, you know, some of these, works and tasks. And, always it comes with, you know.
180
00:35:33.530 --> 00:35:43.049
Fatih Bulut: With the pitfalls and with all the potential, failures and potential drawbacks and security issues.
181
00:35:43.080 --> 00:35:58.780
Fatih Bulut: But I think, you know, as you mentioned, we have to come up with quality assurance there, whether automated or not. Obviously, I mean, we need some automation there to make sure that, you know, the quality is there.
182
00:35:58.780 --> 00:36:07.450
Fatih Bulut: And if quality is not there, you know, we stop there. We don't put this into the… or merge into the main to go into the production.
183
00:36:08.860 --> 00:36:19.880
Dewan Ahmed: one of the places you're looking to add quality, or look at the security aspect was metaverse. So I came across your blog from 2022, you wrote about metaverse and security.
184
00:36:19.880 --> 00:36:30.469
Dewan Ahmed: What led you to explore security in the metaverse? And then our follow-up would be, how do you see writing blogs, helping software professionals?
185
00:36:31.410 --> 00:36:38.230
Fatih Bulut: Yeah, I mean, it was a time, I think, 2022, maybe…
186
00:36:38.560 --> 00:36:53.100
Fatih Bulut: within the COVID, or right after the COVID, I was working at IBM Research. I was tasked with looking into the metaverse security. Obviously, at that time around, the metaverse was a very, very, very hot topic.
187
00:36:53.140 --> 00:37:06.040
Fatih Bulut: You know, I remember… even, I think, Facebook changed its name around that time, maybe a few years back, or such. So it was a very hot topic. Everybody would like to do something in metaverse.
188
00:37:06.040 --> 00:37:21.399
Fatih Bulut: obviously, with my expertise, I was tasked with, like, you know, looking into the security aspect of metaverse. So that's, like, how I come up with that, you know, block. I did some research, tried to understand, you know, the landscape.
189
00:37:21.400 --> 00:37:26.960
Fatih Bulut: And then think about, you know, what are the security aspects of Metaverse.
190
00:37:26.970 --> 00:37:41.999
Fatih Bulut: Interestingly, you know, I mean, metaverse, we have avatars and all, and, you know, different, digital entities. Similarly, I think there are parallels in today's world where we have AI agents.
191
00:37:42.010 --> 00:37:49.030
Fatih Bulut: In that, you know, metaverse context, we were talking about identities.
192
00:37:49.070 --> 00:38:00.969
Fatih Bulut: So how do we, for example, make sure that the identity is, you know, is something that we can prove? How do we make sure that, you know, it's secure and all?
193
00:38:00.970 --> 00:38:18.360
Fatih Bulut: Same problems that today we are dealing with the AI-based agents as well. When they operate, you know, who's responsible on what? What identity did they use? Are they using the identity of the person or the process that started it, versus
194
00:38:18.360 --> 00:38:23.000
Fatih Bulut: they're using their own identity. I think there are lots of debates and, …
195
00:38:23.180 --> 00:38:38.440
Fatih Bulut: you know, ideas floating around that topic, too. So, you know, I think there are lots of parallels from metaverse to AI agents, but the context is, like, you know, at that time, it was a hot topic, and we wanted to look into the security aspects.
196
00:38:38.500 --> 00:38:53.870
Fatih Bulut: Of it. From a blogging perspective, I… I can't say that I'm an avid blogger, to be honest, but I do benefit from a lot of substacks and, like, you know, what people generate.
197
00:38:53.930 --> 00:39:06.570
Fatih Bulut: I started to look a little bit, like, you know, more suspicious, more suspicious to the blogs, given that now AI is very capable of, like, you know, writing very good text.
198
00:39:06.590 --> 00:39:25.529
Fatih Bulut: So I think it diminished the value of blogs a little bit, but there are people that I trust, there are, like, blogs that, like, I follow, which I do, you know, get benefit. On the other side of the story is that with AI, you know, it's more polished.
199
00:39:25.540 --> 00:39:30.040
Fatih Bulut: We see, like, you know, more, the story of the…
200
00:39:30.060 --> 00:39:48.329
Fatih Bulut: blog is basically more coherent and all, so I think there are also positive aspects as well. But yeah, I mean, you know, I think it's the… blogging is, for me, it's more of, like, a learning, so that's why, you know, when I
201
00:39:48.390 --> 00:39:58.889
Fatih Bulut: write something, it's sort of for me to learn and also share what I learn. But yeah, I think everyone may have different, sort of, like, objectives on that.
202
00:40:00.080 --> 00:40:02.880
Dewan Ahmed: Maybe we can, … filter out, …
203
00:40:03.300 --> 00:40:07.759
Dewan Ahmed: human-generated blogs just using mdash as a filter.
204
00:40:08.440 --> 00:40:14.009
Fatih Bulut: Yeah, yeah, that's a good idea. I mean, some of these posts, like, you know, they, …
205
00:40:14.100 --> 00:40:30.110
Fatih Bulut: it's… you can easily tell that… and I, you know, I also know people who use M-2, and they're really pissed off, because… because, like, you know, they say that I use this in my, like, you know, regular writing, so don't blame me that this is…
206
00:40:30.250 --> 00:40:34.400
Fatih Bulut: you know, LLM-generated text, so there is that aspect.
207
00:40:34.700 --> 00:40:43.469
Dewan Ahmed: Yeah, I know some people will intentionally now add mistakes or typos in their writing just to prove that, hey, I'm a human writing this, so…
208
00:40:43.590 --> 00:40:47.270
Dewan Ahmed: It's, very, very strange times. Now.
209
00:40:47.390 --> 00:40:59.490
Dewan Ahmed: Talking about strange times, everyone seems to have AI in their LinkedIn title. Like, you're an actual, like, AI ML architect. Your work has been in the AI way before it was cool.
210
00:40:59.550 --> 00:41:08.759
Dewan Ahmed: So, how do you see the hype versus reality? What's one thing that makes you shake your head when you see the hype?
211
00:41:10.080 --> 00:41:18.220
Fatih Bulut: I mean, there's definitely a certain level of hype in AI, for sure, but…
212
00:41:18.250 --> 00:41:28.410
Fatih Bulut: it's fueled by the reality, let me put it that way. And the reason is that, you know, I think AI is now at a place where
213
00:41:28.410 --> 00:41:38.799
Fatih Bulut: we can take advantage of it and deliver features and products that would transform the businesses.
214
00:41:38.800 --> 00:41:50.320
Fatih Bulut: And we see the example of this, you know, in multiple places. So it already happens. So it's a reality, in my opinion. But in the meantime.
215
00:41:50.400 --> 00:42:09.870
Fatih Bulut: I don't yet see that AI is at a place where we can confidently rely on it for all of our problems. And those are the areas, like, I shake my hands, you know, maybe we should slow down a little bit. Obviously.
216
00:42:09.880 --> 00:42:10.939
Fatih Bulut: you know.
217
00:42:10.980 --> 00:42:20.859
Fatih Bulut: All of us, like, working in this field, targeting autonomous systems, making more things, like, autonomous and automated, …
218
00:42:21.120 --> 00:42:25.509
Fatih Bulut: But, there are use cases where you can do this today.
219
00:42:25.660 --> 00:42:40.320
Fatih Bulut: But then there are use cases you can't because of the reliability requirements, and maybe healthcare and security, you know, may fall into some of these areas. So you have to make sure that the quality is there, because human lives, you know.
220
00:42:40.430 --> 00:42:53.159
Fatih Bulut: at the… at the, you know, risk here. Another aspect that I can see is, is a little bit problematic is, I think we are a little bit unfair to AI,
221
00:42:53.370 --> 00:43:07.419
Fatih Bulut: In comparison to human. So, when we look at some of the use cases in, let's say, security, I see humans also makes a lot of mistakes, you know, in terms of
222
00:43:07.590 --> 00:43:11.340
Fatih Bulut: Yeah, extraction of information, or in terms of
223
00:43:11.510 --> 00:43:18.510
Fatih Bulut: writing, you know, a software code and all. But we are more,
224
00:43:18.690 --> 00:43:38.050
Fatih Bulut: you know, careful to… or we are more okay that humans make mistakes, versus if AI makes a mistake, we are, you know, like, it's on the niffs, so those sort of, problems. So I think we're a little bit unfair to the AI in that sense, but I think that's also normal, because we wanted to
225
00:43:38.120 --> 00:43:53.639
Fatih Bulut: make sure that AI actually, not just, like, get to the human level in certain tests, it actually precedes those. So I think it's, it's, you know, also a perception problem, too. …
226
00:43:53.690 --> 00:44:00.730
Fatih Bulut: But, but yeah, I mean, you know, I think one thing that, you know, we need to be careful is,
227
00:44:01.070 --> 00:44:04.079
Fatih Bulut: When people say, we can…
228
00:44:04.250 --> 00:44:08.410
Fatih Bulut: automate everything, I think that's where I shake my hands, like, you know.
229
00:44:08.640 --> 00:44:13.889
Fatih Bulut: I can't do that with that indeterminism, with, you know, …
230
00:44:14.000 --> 00:44:25.349
Fatih Bulut: uncertainty in outputs, and with all the costs as well, you know, I don't think we are there yet, but there are use cases where maybe this is possible.
231
00:44:26.870 --> 00:44:42.630
Dewan Ahmed: And conversely, what's one thing that you're really hopeful with with AI? So, let's say in the next 5 years, what's one area that you see massively impacted with AI? And that's something, like, you're certain will happen?
232
00:44:43.570 --> 00:44:47.829
Fatih Bulut: I think the, the places where,
233
00:44:48.040 --> 00:44:51.640
Fatih Bulut: And this may get a little bit technical, but… …
234
00:44:52.290 --> 00:44:57.930
Fatih Bulut: The places that we have verifiable outputs, For example, …
235
00:44:58.460 --> 00:45:05.250
Fatih Bulut: I can write a code and I can test it, whether it runs or not, or whether what the output is or not.
236
00:45:05.440 --> 00:45:12.349
Fatih Bulut: So those are the areas where I think we're gonna see, a lot of improvements.
237
00:45:12.630 --> 00:45:18.350
Fatih Bulut: And this applies to math as well, because, you know, you can verify the math solution.
238
00:45:18.530 --> 00:45:23.090
Fatih Bulut: You can look at the, you know, output and then see if it's correct or not.
239
00:45:23.250 --> 00:45:31.300
Fatih Bulut: So, the places where you have such verifiable solutions, where these reasoning models started to excel.
240
00:45:31.580 --> 00:45:37.489
Fatih Bulut: I think those are the areas where I can see that we will see some more improvements.
241
00:45:37.770 --> 00:45:45.450
Fatih Bulut: You know, with more time to compute and all. … And, …
242
00:45:45.660 --> 00:45:56.939
Fatih Bulut: So those are the areas. One thing that, like, you know, I am really hoping where AI gets better is the context window and effective use of it.
243
00:45:57.160 --> 00:46:06.839
Fatih Bulut: As I mentioned, you know, we discuss about, like, 2 million tokens, but, you know, today, I don't think AI is there.
244
00:46:06.900 --> 00:46:23.400
Fatih Bulut: where this is utilized effectively. So I am hoping that, you know, we get to the point, where we can rely AI. When we put information, it will take this into the account for sure. I think that will,
245
00:46:24.220 --> 00:46:33.549
Fatih Bulut: Opportunities as well, especially in the areas where the volume is huge, like in security or ops and, you know, those use cases.
246
00:46:35.920 --> 00:46:39.209
Dewan Ahmed: This was the conversation with Fatih Bulut.
247
00:46:39.590 --> 00:46:59.269
Dewan Ahmed: AI architect at Microsoft, master inventor at his previous place, IBM Research. Fati, it was fantastic to have this discussion with you. If our viewers and listeners would love to learn more about AI, cloud, and security, what can they do? Where they can find you?
248
00:47:00.130 --> 00:47:13.269
Fatih Bulut: The best place to reach out to me, I think, is my LinkedIn account. I have a website and a blog as well, but, you know, the one that's most up-to-date is my LinkedIn account.
249
00:47:13.780 --> 00:47:28.109
Dewan Ahmed: We'll be sure to link your LinkedIn account in the podcast description and the YouTube video description. If you haven't subscribed yet, please subscribe to our YouTube channel. This is Ship Talk Podcast. I'm your host, Devon Ahmed.
250
00:47:28.220 --> 00:47:39.680
Dewan Ahmed: We talk about the ins and outs, ups and downs of software delivery, and this season, Season 4, we're talking about how AI meets software delivery. Thank you, Fati.
251
00:47:40.320 --> 00:47:41.230
Fatih Bulut: Thank you, Dewan.
