Get the best from AI in software development without risking the worst

The problem isn’t AI. It’s how your developers are using it. If we implicitly trust something we don’t understand, we open ourselves to potentially devastating consequences. Not just for ourselves, but for our customers and partners. Four steps can help you prevent these consequences without taking AI away from your developers.

Automate security checks

Automating security scans is essential for timely, consistent, and repeatable results. This is particularly important as AI coding assistants are increasingly being used semiautonomously and pushing code through pipelines quickly. Automation should balance security coverage with pipeline speed, and trigger only necessary tests based on pipeline actions.

Set up automated security scans to

• Detect new code. CI/CD pipelines with automated scanning can be integrated into version control systems (e.g., Git) to monitor changes in real time, thus detecting new code as it’s generated.
• Add code to test queues. Once new code is detected, automatically adding it to a test queue ensures that all AI-generated code is subject to comprehensive testing as quickly as possible. This avoids burdening AppSec teams and risking undesirable compromises due to time restrictions.
• Run AST scans. Automating application security testing (AST) in CI/CD pipelines and IDEs ensures early detection of issues, when it’s easiest and least costly to fix them.
• Inform and assist developers. Prioritize issues for remediation based on risk-tolerance policies, and close feedback loops with developers via their preferred issue management workflows (e.g., Jira tickets, fix pull requests). Automate the process of providing developers with clear guidance on what to fix and how to fix it.

Cultivating security-capable developers should be a persistent background activity amid all this. Developers must be able to cross-check the output of AI code generators as well as fix issues detected in later stages. Additionally, train your AI models to recognize and avoid security risks before they produce them. Automate this by incorporating security best practices and rules into the training data and algorithms used by your AI.

Implement snippet scanning

Snippet scanning can quickly identify and address potential software license conflicts before they are propagated across projects. Implement mechanisms to automatically detect small excerpts of code (snippets) sampled from licensed open source components.

Integrate snippet scanning tools into dependency management systems, or initiate their analysis with every code commit to keep pace with faster, AI-enabled pipelines. This will help you maintain an up-to-date and accurate inventory of third-party components.

Adopt AI in phases

Instead of a big-bang approach in which AI is rolled out everywhere all at once, go with a step-by-step process that gradually integrates AI into your workflows. This allows you to manage risks, optimize resources, and ensure that your AI solutions are effectively aligned with your business needs.

• Restrict AI access to certain teams based on their readiness and the critical nature of their projects. For instance, teams working on an application that’s not customer-facing or business-critical, or those operating in business units or global regions subject to lesser regulatory scrutiny, would be good starting points.
• Ensure the selected teams have robust mitigation controls in place. This includes established protocols, code review processes, and testing frameworks. Automatically enforce security gates that can act quickly if AI tools violate policies.
• Use pilot projects to evaluate the impact of AI on your development processes. Monitor key metrics such as code quality, security vulnerabilities, and developer productivity to assess the effectiveness—and risk—of your AI tools.
• Establish a feedback loop that allows teams to provide firsthand insights and recommendations to new teams adopting AI tools. The feedback is also useful for refining your AI strategy and addressing issues before broader deployment.

Gradually expand your use of AI tools based on the success and learnings from initial teams. This phased approach allows for controlled scaling and continuous improvement. A phased approach also gives you the opportunity to implement security controls to mitigate risk. These controls should include

• Training and education for developers on potential risks associated with AI-generated code
• Security tools and practices such as those discussed in this blog post
• Code review policies to ensure all code is reviewed by experienced developers with security and compliance expertise
• Testing frameworks to validate AI-generated code including unit tests, integration tests, and security tests
• Incident response plans for handling breaches as well as issues related to AI-generated code
• Regular audits of your AI-generated code and development processes to identify gaps in controls and ensure ongoing compliance
• Collaboration with security teams so they can provide guidance to help your developers understand and implement best practices