In 2022, a surge of AI-based coding assistants revolutionized the software development landscape. Since then, these tools have become ubiquitous, deployed by 92% of organizations, according to a recent report. Even though organizations everywhere are using AI-based coding, there remains a tug-of-war within organizations between the benefits and security fears concerning AI-based software development. For example, 76% of developers said respondents stated that these tools have improved their organization’s code security and only 14% of respondents acknowledged AI tools introduced “a lot” of vulnerabilities into their code. At the same time, developers as 59% of respondents said they are concerned that AI tools will introduce security vulnerabilities into their code.
The two sentiments appear contradictory, but they accurately reflect the current tension introduced by this new generation of coding assistants. It’s almost as if, despite the tangible benefits of AI in coding, software developers, engineering and security teams still don’t fully trust AI tools. So, how can teams address this disconnect? It’s time for them to build a firmer understanding of the current AI-based coding landscape and follow a three-step process to fortify their development process.
Although developers fear the potential vulnerabilities of AI-based coding tools, previous research has not conclusively proven or disproven that AI coding assistants introduce security flaws. In an August 2022 study, New York University researchers found that using LLMs for coding assistance did not introduce significantly more errors among student programmers than traditional coding methods. Conversely, a November 2022 study by Stanford University researchers found that “…participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant.” They did find, however, that participants who trusted the AI less and engaged more with the language and format of their prompts delivered code with fewer vulnerabilities.
It’s also important to note that restricting AI-based tools in your development processes may not prevent developers from leveraging them anyway. In March 2023, Italy banned ChatGPT, and OpenAI cut off access in compliance with the ban. Researchers looked at the hourly coding output of over 8,000 professional GitHub users in Italy and other European countries and found that the output of Italian developers decreased by around 50% in the first two business days after the ban but rebounded to previous levels shortly after. Examining daily Google search and Tor usage data, the research team found “….the ban led to a significant increase in the use of censorship bypassing tools. Our findings show that users swiftly implement strategies to bypass Internet restrictions…” If development teams want to use AI-based coding tools, it may make more sense to figure out a secure way to leverage these tools instead of trying to remove them altogether.
The good news about securing AI-based software development is that most of these suggestions can build on existing security practices. AI-generated and human-generated are processed in the same way by a computer, so all security tooling and approaches can work equally well with AI and human code. Here are some basic best practices to put in place to ensure a higher level of security for AI-generated code.
● Automate: AI coding assistants such as CodeWhisperer and Copilot can speed up development. To keep up with the increased pace, they should be paired with comprehensive security automation tools to ensure that code flowing through the development process remains secure. Early studies have shown that developers using these tools may increase their code output by as much as 50%. This will push AppSec teams beyond their capacity and means the only viable option is automation.
● Accelerate: Increase the frequency of code audits. Putting human eyes on the code is critical for security review and spotting problems that LLMs may introduce. If a team uses AI to increase efficiency and ship more code more frequently, that should free up additional resources for more frequent and intense code audits. Granted, code audits are not a favorite task of many developers, but the increased review process should have the secondary benefit of shifting security left naturally.
● Educate: Have a plan to teach developers about secure coding with the new AI tools. Teach them the risks of including critical IP or system information in prompts and the hazards of asking the AI to fix snippets holding secrets, API keys, and other non-public information. And as the area develops, build a curriculum on how to improve prompting for better security. The AI tools are only as good as the prompts we feed them. As the Stanford study showed, better prompts focused on secure coding practices can yield more secure code. This is an extension of developer education and should become a normal part of developer onboarding.
Before the emergence of AI, developers commonly cut and pasted code they found on QA sites like StackOverflow or GitHub. Unlike before, AI introduces layers of abstraction, which potentially masks code issues. Developers know this and it makes them wary, even as they vote with their usage patterns.
Making AI-enabled coding more secure, however, is a manageable problem. By extending existing security practices, adding new practices like secure prompting, and upping the pace and intensity of scrutiny while implementing automation, we can match the new and faster metabolism of software development. The way to more secure code is through more automation and more human-in-the-loop code review, and continuing to shift code security left. AI will force the issue — and that’s a good thing.