{"id":5411,"date":"2024-08-29T09:49:16","date_gmt":"2024-08-29T13:49:16","guid":{"rendered":"https:\/\/solutionsreview.com\/security-information-event-management\/?p=5411"},"modified":"2024-08-29T10:08:12","modified_gmt":"2024-08-29T14:08:12","slug":"how-cisos-can-prepare-the-enterprise-for-ai-coding-assistants","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/security-information-event-management\/how-cisos-can-prepare-the-enterprise-for-ai-coding-assistants\/","title":{"rendered":"How CISOs Can Prepare the Enterprise for AI Coding Assistants"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Secure Code Warrior’s Pieter Danhieux offers insights on how CISOs can prepare for enterprise AI coding assistants. This article originally appeared on Solutions Review’s Insight Jam<\/a>, an enterprise IT community enabling the human conversation on AI.<\/strong><\/em><\/p>\n

LLMs struggle to produce consistently secure code.\u00a0Security-skilled developers can help ensure secure AI-generated code while optimizing performance.<\/p>\n

Development teams need to get better control of the large language models used in writing software code before those AI models, which have provided undeniable benefits, become a runaway train in terms of lax security protocols.<\/p>\n

Software developers were quick to see AI’s advantages. A little more than a half-year after ChatGPT made its initial splash in November 2022, a\u00a0GitHub survey<\/a> found that 92 percent of U.S.-based developers were using AI coding tools\u2014a number that has likely gone up since then. GitHub has said that its Copilot coding assistant wrote 82 billion lines of code in its first year.<\/p>\n

The downside of enlisting LLMs to write code is the risk they pose to security. Flaws and vulnerabilities have always been present in software. However, the fast-moving evolution of cloud services has increased the demand for code. And if LLMs are used to meet that demand without having the security and quality of the code carefully checked, the consequences could be significant.<\/p>\n

In our own experiments using LLMs to complete secure coding challenges, we routinely see error rates from 10 percent up to 60 percent, with the biggest models averaging around 20-25%. It\u2019s imperative to note that this is a controlled situation in which we’re specifically prompting it in relation to security problems. If your prompt is not security-centric with the correct asks, your chances of success will be worse.<\/p>\n

In terms of vulnerability classes, some are definitely easier for LLMs to navigate than others. They tend to score well on superficial, well-documented patterns such as SQL and other injection vulnerabilities, but suffer on more subjective, flexible issues like resource releasing, insufficient logging, and misconfigured permissions.<\/p>\n

This current state of affairs poses a crisis for the cybersecurity industry, but it also creates an opportunity. On one hand, CISOs and security leaders need a comprehensive plan for implementing AI coding tools safely in order to protect their systems and data, avoid the consequences of a major breach, and stay in compliance with a growing number of regulations. On the other hand, such a plan will allow companies to benefit from the considerable advantages AI coding tools offer while establishing a reliable process for fast, productive and secure software development.<\/p>\n

Reaping those benefits starts with a focus on risk reduction at the developer level.<\/p>\n

Be Aware of AI\u2019s Shortcomings<\/strong><\/h3>\n

It\u2019s not like code was pristine before AI showed up. Human software engineers make their share of mistakes, too. A study by Coralogix found that developers create, on average,\u00a070 bugs per 1,000 lines of code<\/a>, with 15 of those bugs ending up in production systems. As a result, 75 percent of developers\u2019 time is spent on debugging, since fixing bugs takes 30 times longer than writing a line of code.<\/p>\n

At a glance, AI models actually improve those numbers. Nearly 76 percent of respondents to a Synk survey<\/a> said that, overall, AI code is more secure than code created by humans. But it\u2019s far from perfect\u201456.4 percent said AI does introduce coding issues either sometimes or frequently. And considering the sheer volume of code AI creates\u2014and that Synk found that 80% of developers using AI bypass AI code security policies\u2014that threatens to put a lot of buggy code into the software ecosystem.<\/p>\n

Overreliance on AI coding tools as they are currently used is risky because models can struggle to produce reliable results, particularly at the enterprise level.<\/p>\n

An example of LLM\u2019s shortcomings can be found in how the models are ill-equipped to stay current with changes in functionalities. As Andrea Valenzuela, a software developer and data scientist at CERN, points out,\u00a0LLMs are trained<\/a>\u00a0on a snapshot of code and documentation taken at a specific point in time. But APIs and other interfaces, for example, change often. Because LLMs aren\u2019t updated in real time, this leaves them blind to new security risks, which could result in using vulnerable code.<\/p>\n

Although LLMs can be trained to write code, they are trained to predict the next line of code based on what\u2019s come before. But training them to write code that\u2019s optimized for specific business functions\u2014or certain hardware or software environments\u2014is a very difficult challenge.<\/p>\n

Other potential vulnerabilities<\/a>\u00a0resulting from LLM-generated code include data poisoning used to manipulate machine learning models, the theft of LLM models, which can result in the creation of counterfeit models, adversarial inputs that trick LLMs into producing faulty output, and biases present in training data that manifest within its output. Cross-site scripting is another potential vulnerability resulting from AI-generated code. In fact, LLM code flaws are common enough that the OWASP Foundation has created a web page just for the\u00a0top 10 most critical LLM vulnerabilities<\/a>.<\/p>\n

Setting the Stage for Secure AI Coding<\/strong><\/h3>\n

Organizations aren\u2019t going to abandon AI over these concerns. In fact, the trend is strongly in favor of using it more. However, they need to acknowledge that AI models can\u2019t be trusted to produce consistently secure and optimally functional code. CISOs need to prepare their organizations’ foundations to apply security and oversight to LLMs to ensure that they get maximum benefits from AI-generated code while applying strict security controls to the process.<\/p>\n

Another consideration is the decision-making process: Who will determine which AI agent should be used? As we have seen, there are various LLMs in the market, each with different strengths and shortcomings, and in terms of coding, one may be more accurate than another. Ultimately, highly regulated enterprise environments like the financial services sector will likely operate with a central decision, but more liberal environments, such as the tech sector, may leave this up to individual developers, which will vastly increase the risk and governance variables in the SDLC.<\/p>\n

Among the steps they can take:<\/p>\n