Derek Holt is CEO of Digital.ai.
While AI has been both a concept and under development for many decades, over the past two years it has jumped from a concept to a set of services that we can all try, experiment with and use in our day-to-day workflows. The recent rise of AI assistants, also known as copilots, has become the new primary interaction model. A novice user can describe what they want to do in conversational language, and the copilot is supposed to make it happen.
In the span of little more than a year, copilots have emerged in the software development domain as a potentially revolutionary tool with near-endless potential to shape the way software is planned, built, tested and delivered. However, security concerns around copilot adoption are high, particularly in enterprise environments.
In this article, I will lean into some of the top security risks and highlight approaches to avoid trouble later.
Copilots can exacerbate several security challenges we grapple with in software development.
Copilots’ ability to draw from a vast corpus of code repositories makes them a powerful ally for programmers. However, adoption is not without risk. The responsibility to write and deliver secure software encompasses disciplines such as well-formed/secure code, avoidance of risky third-party dependencies and ensuring data privacy, encryption, code obfuscation and anti-tampering techniques. These security dimensions have long challenged “human” generated code, and early analysis indicates that code generated by copilots presents an even greater risk. In fact, recent surveys have shown sharp increases in security vulnerabilities in AI-generated code.
There are three key categories that must be understood and addressed: code vulnerabilities, dependency risks and data privacy concerns.
1. Code Vulnerabilities
AI models are trained on data sets that are fed to them. In the world of software development copilots, this tends to be large repositories of code. Unfortunately, the training data (in this case the code) often includes security vulnerabilities—and those vulnerabilities will be ingested by the AI as they are. Given copilots simply pattern match at scale and thus do not understand coding semantics, they can often repeat (at scale) vulnerabilities found in the training data.
Studies have demonstrated that a model trained with errors is likely to increase the errors: The average commercial software project has 40 first-party code vulnerabilities, with a third categorized as high severity. If the copilot sees this code as good, it will use it repeatedly, increasing the number of times a mistake appears.
2. Dependency Risks
Beyond first-party code vulnerabilities, today’s modern software applications include endless dependencies on third-party libraries and services. While third-party dependencies have long introduced security risks for human-generated applications, given copilots are unaware of security risks and are often trained on legacy code bases, they have the potential of automatically introducing dependencies to outdated and insecure libraries and third-party systems. Based on the overall volume of code generated, enterprises may, in fact, lack visibility into these dependencies, making it more challenging than ever to remediate and, in some cases, patch those vulnerabilities.
3. Data Privacy Concerns
As governments worldwide continue to expand and further enforce regulations around data privacy from both an industry (PHI, HIPAA, etc.) and regional (GDPR, etc.) perspective, organizations must also consider the data privacy risks when using copilots to accelerate software development. As we have discussed, copilots ultimately do not understand semantics, nor do they currently understand and contextualize regulations. With that, copilots have the potential to unknowingly include sensitive data. This puts increasing pressure on developers, security organizations and engineering teams to ensure that generated code is well contextualized.
Mitigate Risk And Improve Outcomes
The good news is that there are people, processes and tooling solutions to mitigate risk and improve outcomes. Here are a few strategies, approaches and best practices for human-generated code:
Education And Training
Organizations should continue to provide comprehensive training to developers on recognizing and addressing security vulnerabilities—not just in their own code but in copilot-generated code as well. Next, the focus should be on establishing best practices and guidelines for responsibly using copilots and prioritizing security as part of those efforts. Creating copilot and AI-focused Centers of Excellence (CoEs) is also encouraged to establish best practices in processes and tooling. Leading organizations are also beginning to identify and track key metrics to increase visibility both for productivity gains and broader risks.
Code Review And Enhanced Scanning (SAST/DAST)
Enterprises should expand their focus on and usage of commonly deployed application security testing tools. These tools provide developers with the ability to either scan software from within the code or against the running software, a.k.a. SAST or DAST. Security professionals can also use penetration testing—an approach that searches for further vulnerabilities in applications through outside-in simulated attacks (performed either manually or automatically, leveraging any number of available tools). All these tools are useful for human and AI-generated code. Organizations should also implement more robust code review processes focusing on the early identification of security flaws while also ensuring adherence to coding standards.
Modern And AI-Aware DevSecOps
In the past decade, I’ve noticed organizations dramatically reduce security and quality issues while improving compliance through DevSecOps standardization and automation. Organizations that have mature DevSecOps processes including various flavors of security-related scanning can safely and successfully adopt copilots. Their well-defined governance processes, automation and ability to measure the end-to-end business process of building and delivering software puts them in a unique position to quickly adopt while managing risk. Automating DevSecOps processes ensures best practices are followed for critical tasks from the final code pull request through to production, whether delivering human or AI-generated code through the delivery pipeline.
As the landscape of AI-assisted software development continues to evolve, enterprises must remain vigilant in striking the right balance between innovation and security. These best practices will bring value and dramatically reduce risk today and into the future.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
 
		


 
									 
					









