Developers are under pressure to generate code faster than ever – with a constant demand for more functionality and a seamless user experience – leading to a general deprioritization of cybersecurity and inevitable vulnerabilities finding their way into software. These vulnerabilities include privilege escalations, backdoor credentials, potential injection exposure, and unencrypted data.
This pain point has been around for decades, but artificial intelligence (AI) is poised to provide significant support. A growing number of developer teams are using AI remediation tools to suggest quick fixes for vulnerabilities throughout the software development lifecycle (SDLC).
Such tools can support developers’ defense capabilities, enabling an easier path to a security first mentality. But – like any new and potentially impactful innovation – they also bring potential issues that teams and organizations should explore. Here are three, with my initial perspectives in response:
Co-founder and CEO of Secure Code Warrior.
No. If the tools are deployed effectively, developers can become more aware of the presence of vulnerabilities in their products and then create the opportunity to eliminate them. But while AI can detect certain issues and inconsistencies, human insights are still needed to understand how AI recommendations fit into the broader context of a project as a whole. Elements such as design and business logic deficiencies, understanding compliance requirements for specific data and systems, and developer-led threat modeling practices are all areas where AI tools will struggle to provide value.
Furthermore, teams cannot blindly rely on the output of AI coding and recovery assistants. ‘Hallucinations’ or incorrect answers are quite common and are usually given with a high degree of confidence. People should thoroughly vet all answers – especially those related to security – to ensure the recommendations are valid, and to refine the code for secure integration. As this technology space matures and becomes more widely used, unavoidable AI-driven threats will become a significant risk that must be planned for and mitigated.
Ultimately, we will always need the “human perspective” to anticipate and protect code against today’s advanced attack techniques. AI coding assistants can lend a helping hand with quick fixes and serve as formidable affiliate programming partners, but humans must take on the “big picture” responsibilities of identifying and enforcing security best practices. To this end, developers must also receive adequate and frequent training to ensure they are equipped to share responsibility for security.
Training should evolve to encourage developers to take multiple paths to educate themselves on AI remediation and other security-enhancing AI tools, as well as comprehensive, hands-on lessons in secure coding best practices.
It’s certainly useful for developers to learn how to use tools that improve efficiency and productivity, but it’s critical that they understand how to deploy them responsibly within their tech stack. The question we should always ask is: how can we ensure that AI remediation tools are deployed to help developers excel, rather than using them to overcompensate for the lack of fundamental security training?
Developer training must also evolve by implementing standard measures of developer progress, with benchmarks to compare over time how well they identify and remove vulnerabilities, catch misconfigurations, and mitigate code-level weaknesses. If used properly, AI remediation tools will help developers become increasingly security conscious while reducing overall risk across the organization. Furthermore, mastering responsible AI remediation will be seen as a valuable business asset and enable developers to reach new heights with team projects and responsibilities.
The software development landscape is constantly changing, but it’s fair to say that the introduction of AI tools into the standard SDLC represents a rapid shift to essentially a new way of working for many software engineers. However, it perpetuates the same problem of introducing bad encryption patterns that can potentially be exploited faster and in greater volume than at any other time in history.
In an environment that is constantly changing, training must keep pace and remain as fresh and dynamic as possible. In the ideal scenario, developers would receive security training that mimics the issues they encounter during their workday, in the formats they find most compelling. Additionally, modern security training must emphasize secure design principles and take into account the deep need to think critically about every AI output. For now, that remains the domain of a highly skilled, security-conscious developer who knows his codebase better than anyone.
It all comes down to innovation. Teams will thrive with solutions that increase problem visibility and resolution options during the SDLC, but don’t slow down the software development process.
AI cannot step in to “do the security for developers,” just as it cannot completely replace them in the coding process itself. No matter how many more AI developments occur, these tools will never provide 100 percent foolproof answers about vulnerabilities and solutions. However, they can play a crucial role within the bigger picture of a total “safety first” culture – one that relies on both technology and human perspectives. Once teams have undergone the required training and on-the-job knowledge building to reach this state, they will indeed find that they can create products quickly, effectively and safely.
It must also be said that, as with online resources such as Stack Overflow or Reddit, if a programming language is less popular or common, this will be reflected in the availability of data and resources. You’re unlikely to have trouble finding answers to security questions in Java or C, but data may be missing or conspicuously absent when troubleshooting complex bugs in COBOL or even Golang. LLMs are trained on publicly available data and are only as good as the data set.
This is yet another important area where security-conscious developers are filling a gap. Their own hands-on experience with more obscure languages – coupled with formal and ongoing security learning outcomes – should help close a clear knowledge gap and reduce the risk of AI output being implemented on faith alone.
We have presented the best online learning platform.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro