Any developer who has experimented with AI in their coding processes is well aware that it comes with pros and cons. AI empowers developers to code faster by remembering common patterns and dealing with repetitive tasks, but it also tends to create inelegant, overly verbose, or unreliable code.
The reality is that anything speeding up development is here to stay, with companies rushing to get secure adoption of AI tooling for their developers. This post isn’t one of the many out there meant to scare people about the security of AI-generated code. AI-generated code has all of the same potential pros and cons of human-generated code. Sometimes it will be great and secure, and other times it will need some work.
Instead, we’ll address two less commonly considered issues with adoption of AI coding—the velocity of new code, and the issue of how long it takes to get something fixed. Spoiler: the only real solution is to use AI to help secure itself, by providing automated fixes to allow security to keep up with the new pace of development.
The Velocity of New Code
One reason for the rapid adoption of shift left and pipeline scanning was the explosion in deployments with the adoption of DevOps. Instead of gating deployments like with waterfall, DevOps adoption led to security teams needing quick scans of new code as it was pushed into production. It is now an expectation that security scanning happens quickly and frequently.
With AI tools, we’re witnessing a similar increase in code velocity. Whereas the prior shift was about the frequency of deployments, this is about the sheer amount of new code getting committed. With AI, more code is getting written, both because people are using it to generate complicated logic to create MVPs, and because it is enabling more end users to code directly. With GenAI, people with little development experience can find themselves quickly deploying production code.
It’s now possible for developers to deploy entire new services in hours instead of weeks, as most of the busy work and simple logic is taken care of by various co-pilots. But by its nature, more code means more vulnerabilities. And when most organizations are already staring at piling backlogs of security issues, AI adoption only exacerbates the problem.
Finding Code Owners
Ask any security engineer what the hardest part of getting something fixed is, and they’ll say it’s finding the right person to fix it. This challenge has led to entire vulnerability management markets, tools that just exist to help manage the workflows of getting vulnerabilities to the right people. Finding the right developer to fix an issue proves challenging for quite a few reasons:
- Developers get new jobs
- Developers move onto other projects
- Old services get neglected, even if they’re critical
- Companies don’t get much short term value out of reducing tech debt
AI makes this problem even more challenging, as even the developer that commits the code might not be super familiar with how it works.
We try to find code owners to do fixes because it’s incredibly time consuming to try and re-learn how code works, if it’s actually exploitable, and to figure out how to fix it. AI-generated code makes this challenge harder to solve, as the developer needs to spend more time investigating the issue and writing a fix because they never actually wrote the code in the first place.
AI for AI Security
Both of these challenges display the need for cybersecurity tooling to catch up—not just in terms of scan speed, which was the change we saw under DevOps, but in terms of providing solutions instead of alerts. Having developers manually go back and fix security issues won’t scale to keep up with the velocity of AI generated code.
To keep up with the amount of new code being committed, security scanning needs to include the fix. More code means more vulnerabilities, which means more fixes are needed, which increases the need for automated fixing alongside automated scanning. This goes together with the code owner's difficulty, where if AI is the real code owner, we need to also get fixes from AI. Time has never been more valuable, and using AI to secure AI generated code is the only scalable option.
.jpg?width=1200&height=1600&name=IMG-20210714-WA0000%20(1).jpg)
