Generative AI is expected to help write secure code, improve code analysis, create tests, write documentation, and assist with many other DevSecOps functions. But the technology is still in its infancy, and early results are mixed.
The optimistic view is that by training the AI on libraries of clean and secure code, teaching it best practices, and exposing it to a company’s internal policies and frameworks, all of its code suggestions would be secure right from the start. Plus, generative AI can also be used for finding security problems in existing code, for debugging, for generating tests, for writing documentation, and many other tasks related to DevSecOps.
The danger, however, is that generative AI could instead generate insecure code, and do so quickly and authoritatively, creating more problems for companies down the line.
So, how many developers are already using generative AI? According to most industry surveys the majority. A CoderPad survey of more than 13,000 developers released in January found that 67% of tech professionals say that they already use AI as part of their job, with ChatGPT being the top tool, followed by GitHub Copilot — a generative AI development tool — and Bard. Nearly 59% said they use it for code assistance, more than half said they use it for learning and tutorials, and around 45% said they use it for code generation.
At stock photography company Shutterstock, the use of GitHub Copilot has positively impacted the day-to-day work of the company’s software engineers, says Sejal Amin, the company’s CTO. âAfter just eight hours of learning, 90% of developers reported an impact on the developer experience,â Amin tells CSO. âAnd some of the early feedback we got is that a majority of our developers increased their productivity.â
But there are limitations to what generative AI can do, he added. Maybe, someday, generative AI can be used to build in security right from the start of the development process, Amin says. âBut based on our experience, no tool today is generating production level code with security, performance, stability, scale — all those things that we need to look at that are contextually relevant to our business.â
Instead, the generated code still requires in-depth review. “It requires senior engineers to engage with the output that itâs creating,” Amin adds.
Generative AI could increase code productivity
A SlashData report that surveyed more than 17,000 developers, found 80% of coders think that generative AI will increase their potential and productivity at work — a remarkable consensus for a brand-new technology. Generative AI is expected to help new developers most of all. For developers with less than a year of coding experience, 80% say that generative AI will help them use tools they previously could not, compared to 60% of developers with more than 16 years of experience.
Forrester analyst Janet Worthington confirms that generative AI will have a dramatic impact on productivity. âWith generative AI and software development we’re predicting anywhere from 15% to 20% more productivity in automating test cases,â she tells CSO. âAnd in coding, we expect an even larger bunch — as much as a 50% increase in productivity. The amount of code that people are going to be able to generate is skyrocketing. We are seeing a level of volume and productivity that we have not seen for a long time in software development. And we’re just at the beginning of it,â Worthington says.
And the tools keep improving. What started as simple questions posted to ChatGPT have evolved into programming “copilots” that are integrated into software development pipelines. According to a survey of CTOs and VPs of engineering released by LinearB this January, 87% of organizations are planning to invest in a generative AI coding tool this year.
But does this code even work? Not necessarily. According to a GitClear review of 153 million lines of code, published in January, code churn — the percentage of code that’s pushed to repo but reverted, removed, or updated within two weeks — has been increasing in tandem with the rise of generative AI coding assistants. The company expects the churn rate to be 7% this year, twice as high as before generative AI.
And this isn’t the only warning bell for generative AI where productivity is concerned. Every year, Google Cloud surveys tens of thousands of developers for its annual state of DevOps report and this year AI was a major topic. Respondents said that artificial intelligence was already showing value when it comes to writing and optimizing code and analyzing security, helping them to learn new skills, identify bugs, write tests, create documentation, and more.
But, according to the report’s authors, the survey data shows that AI has a neutral or even negative effect on team performance and software delivery performance. “We speculate that the early stage of AI-tool adoption among enterprises might help explain this mixed evidence,” the authors said. “There is a lot of enthusiasm about the potential of AI development tools… but we anticipate that it will take some time for AI-powered tools to come into widespread and coordinated use in the industry.”
Code security with generative AI
Generative AI is even more of a mixed bag when it comes to writing secure code. Many hope that, by ingesting best coding practices from public code repositories — possibly augmented by a company’s own policies and frameworks — the code AI generates will be more secure right from the very start and avoid the common mistakes that human developers make.
For example, when a developer begins a new piece of code, the AI can intelligently suggest or even apply elements like intellectual property headers, Netskope deputy CISO James Robinson tells CSO. âThis not only streamlines the coding process but also minimizes the need for the DevSecOps team to actively monitor and address such considerations.â
The ability of generative AI to grasp contextual information can lead to a new era in software development, Robinson says, with improved code quality and efficiency. âDespite the potential pitfalls, leveraging generative AI tools like copilots ultimately empowers developers to produce code with fewer flaws and vulnerabilities.â
And having generative AI automatically use safe practices and mechanisms contributes to a more secure coding environment, Robinson says. “The benefits extend to improved code structuring, enhanced explanations and a streamlined testing process, ultimately reducing the testing burden on DevSecOps teams.”
Some developers think that we’re already there. According to a report released in November by Snyk, a code security platform, 76% of technology and security pros say that AI code is more secure than human code.
But, today, at least, that sense of security might be an illusion and a dangerous one at that. As per a Stanford research paper last updated in December, developers who use an AI coding assistant wrote “significantly less secure code” — but were also more likely to believe that they wrote secure code than those who didn’t use AI. Plus, the AI coding tools sometimes suggested insecure libraries and the developers accepted the suggestions without reading the documentation for the components, the researchers said.
Similarly, in Snyk’s own survey, 92% of respondents agreed that AI generates insecure code suggestions at least some of the time, and a fifth said that it generates security problems “frequently.”
However, even though the use of generative AI speeds up code production, only 10% of survey respondents say that they have automated the majority of their security checks and scanning, and 80% say that developers in their organizations bypass AI security policies altogether.
In fact, with the adoption of generative AI coding tools, more than half of organizations have not changed their software security processes. Of those who did, the most common change was more frequent code audits, followed by implementing security automation.
All of this AI-generated code still needs to undergo security testing, says Forrester’s Worthington. In particular, enterprises need to ensure that they have tools in place and integrated to check all the new code and to check the libraries and container images. “We’re seeing more need for DevSecOps tools because of generative AI.â
Generative AI can help the DevSecOps team write documentation, Worthington adds. In fact, generating text was ChatGPT’s first use case. Generative AI is particularly good at creating first drafts of documents and summarizing information.
So, it’s no surprise that Google’s State of DevOps report shows that AI had a 1.5 times impact on organizational performance as a result of improvements to technical documentation. And, according to the CoderPad survey, documentation and API support is the fourth most popular use case for generative AI, with more than a quarter of tech professionals using it for this purpose.
It can work the other way, too, helping developers comb through documentation faster. “When I coded a lot, a lot of my time was spent digging through documentation,” says Ben Moseley, professor of operations research at Carnegie Mellon University. “If I could quickly get to that information, it would really help me out.
Generative AI for testing and quality assurance
Generative AI has the potential to help DevSecOps teams to find vulnerabilities and security issues that traditional testing tools miss, to explain the problems, and to suggest fixes. It can also help with generating test cases.
Some security flaws are still too nuanced for these tools to catch, says Carnegie Mellon’s Moseley. “For those challenging things, you’ll still need people to look for them, you’ll need experts to find them.” However, generative AI can pick up standard errors.
And, according to the CoderPad survey, about 13% of tech professionals already use generative AI for testing and quality assurance. Carm Taglienti, chief data officer and data and AI portfolio director at Insight, expects that we’ll soon see the adoption of generative AI systems custom-trained on vulnerability databases. “And a short-term approach is to have a knowledge base or vector databases with these vulnerabilities to augment my particular queries,” he says.
A bigger question for enterprises will be about automating the generative AI functionality — and how much to have humans in the loop. For example, if the AI is used to detect code vulnerabilities early on in the process. “To what extent do I allow code to be automatically corrected by the tool?” Taglienti asks. The first stage is to have generative AI produce a report about what it sees, then humans can go back and make changes and fixes. Then, by monitoring the tools’ accuracy, companies can start building trust for certain classes of corrections and start moving to full automation. “That’s the cycle that people need to get into,” Taglienti tells CSO.
Similarly, for writing test cases, AI will need humans to guide the process, he says. “We should not escalate permissions to administrative areas — create test cases for that.”
Generative AI also has the potential to be used for interrogating the entire production environment, he says. “Does the production environment comply with these sets of known vulnerabilities related to the infrastructure?” There are already automated tools that check for unexpected changes in the environment or configuration, but generative AI can look at it from a different perspective, he says. “Did NIST change their specifications? Has a new vulnerability been identified?”
Need for internal generative AI policies
Curtis Franklin, principal analyst for enterprise security management at Omdia, says that he talks to development professionals at large enterprises and they’re using generative AI. And so are independent developers and consultants and smaller teams. “The difference is that the large companies have come out with formal policies on how it will be used,” he tells CSO. “With real guidelines on how it must be checked, modified, and tested before any code that passed through generative AI can be used in production. My sense is that this formal framework for quality assurance is not in place at smaller companies because itâs overhead that they canât afford.”
In the long term, as generative AI code generators improve, they do have the potential to improve overall software security. The problem is that we’re going to hit a dangerous inflection point, Franklin says. “When the generative AI engines and models get to the point where they consistently generate code thatâs pretty good, the pressure will be on development teams to assume that pretty good is good enough,” Franklin says. “And it is that point at which vulnerabilities are more likely to slide through undetected and uncorrected. That’s the danger zone.”
As long as developers and managers are appropriately skeptical and cautious, then generative AI will be a useful tool, he says. “When the level of caution drops, it gets dangerous — the same way weâve seen in other areas, like the attorneys who turned in briefs generated by AI that included citations to cases that didnât exist.”