How AI coding tools can help developers boost software security
by Pieter Danhieux (pictured), Co-Founder & CEO of Secure Code Warrior
Few technological advances have captured widespread attention as quickly as Artificial Intelligence (AI). In less than two years, AI has evolved from being a technical novelty into a powerful tool, and its rate of evolution shows no sign of slowing.
And given that writing code in multiple languages was one of the first demonstrations of the capabilities of emerging generative AI (GenAI) tools, it’s no surprise that recent surveys have found up to 93 per cent of development teams are using AI tools as part of their workflow. It’s only recently that these teams have started to experience some of the negative side effects of that choice, as the code created by AI tools can actually be full of exploitable vulnerabilities.
In fact, AI coding tools are not (as yet) capable of reliably recognising what vulnerable code looks like, much less avoiding those same errors when generating new code.
In research conducted by the University of Maryland, UC Berkeley, Google, and others, researchers studied 11 AI models belonging to four different families or groups and tasked them with trying to uncover vulnerabilities in computer code generated by AI tools.
With both high false-positive rates and low accuracy in detecting vulnerabilities, the researchers concluded that AI simply was not ready to take on that role.
In another study conducted by the University of Quebec, researchers asked popular generative AI, ChatGPT, to generate 21 different programs and applications in a variety of languages. While all of the applications coded by the AI worked as intended, only five were deemed to be secure. The rest had dangerous vulnerabilities attackers could have used to compromise any organisation that deployed them.
Humans and AI working together
Those who study AI development would not be too surprised by these studies, as well as many others that got similar results. Generative AIs can create new content by drawing on large language models (LLMs), which are essentially enormous databases of compiled human knowledge that the AI knows how to quickly navigate and parse to come up with new responses and content. The problem is that the LLMs contain both the good and bad aspects of everything humans have created.
In terms of code, the result is that lots of vulnerabilities and bad practices are included in those LLMs. For example, every single OWASP vulnerability is hidden in those models, as well as thousands of others. If a human ever made a mistake and coded a vulnerable application, chances are that it’s included in the models that AIs now draw from. And there is a good chance that an AI will use them too when generating complex new applications.
Overcoming the challenge
So, many people are now asking whether it is possible to enjoy the speed advantages that AI coding offers while also generating secure code. The answer, thankfully, is ‘yes’, but only when humans and AI team up, with each one doing what they do best.
Despite all its amazing abilities, AI does not really understand context. You can ask it to program, for example, the infrastructure for an online store, but it really does not know what you are trying to sell, how to show the right products to the right visitors, or any of the complexities of your backend supply chain.
Writing code that takes all of that into consideration is much more suited to human developers, whose main mission is to write programs that help with or solve some kind of business problem. Humans, especially ones who have worked in their respective industries for a long time, are very good at solving such problems. However, even the best programmers sometimes need a refresher when it comes to the nuts and bolts of complex implementations.
For example, in a recent Stack Overflow developer survey, 63 per cent of the developers said they spend at least 30 minutes or more every single day searching for answers about how to implement some aspect of an application or program they are building. That so-called cognitive switching, where a human has to move from a creative process to a more rote or research-heavy one, eats up a lot of otherwise productive time every day.
This is where AI tools are best equipped to lend a virtual hand. If a human developer works on an overall program or application and then gets stuck on some aspect of that implementation, that is where an AI tool can help.
For example, writing code to connect a product database to a supply chain application can be done extremely quickly by an AI tool, and doesn’t require the AI to understand the overall context of what it’s working on or the overall mission of the project. It’s also much less likely to implement vulnerabilities if it’s only being tasked with working on key, fundamental type aspects of the code.
Combining strengths
Pairing human developers with AI tools, allowing each to play to their strengths, is a rewarding strategy that can speed up the coding process while limiting some of the dangers posed by AI-induced vulnerabilities in code. Tasking AI with smaller elements of the code creation process is less risky, but vulnerabilities can still pop up.
This is why it’s critical for developers to have security training. If a human understands both the overall context of the project they are working on and best security practices, then they can quickly verify that any part of the code they asked the AI to write is correct and free from vulnerabilities or other problems like business logic flaws.
Encouragingly, a lot of time will still be saved because the human developer does not have to look up how to create the part of the code generated by the AI, and can simply check to make sure that it’s secure, fixing any flaws that might have crept into it.
AI tools are already very powerful and can significantly help in the software development process, however they are not able to reliably write secure code.
Yet, teamed with experienced human developers, the tools can be utilised to expediate the production of code that is efficient, effective, and secure.
