The quest for robust application security has historically relied on the “Shift Left” philosophy, which emphasizes developer responsibility and integrating security testing practices earlier in the development lifecycle. This approach sounded promising but has not been able to live up to its expectation. Over reliance on the security savvy of developers and its effects on “Agile” development processes has had the opposite effect of diminishing the security posture of applications.
This is where the rise of Generative AI (Gen AI) and co-pilot tools presents a fascinating opportunity. These innovative technologies hold tremendous potential for boosting developer productivity and streamlining the coding process. However their impact on application security could be double-edged.
The Shortcomings of Shift Left
As it turns out, simply moving application security earlier in the lifecycle is actually counter productive to the speed at which engineering teams are expected to deliver code. It also does not help catch vulnerabilities that can only be surfaced later in the development cycle – things like configuration checks for the environments where the app will actually be deployed.
Developers are ill-equipped and sometime unwilling participants in this process trying to grapple with security terminologies and mitigations for vulnerabilities that they either do not understand or think are unrealistic.
This typically cascades into delays and bottlenecks in the dev lifecycle that no one likes leading to short cuts and “executive exemptions”. Applications are no more secure than they would be without shift left.
Generative AI and Co-pilots: A Double-Edged Sword
Generative AI and co-pilot tools can offer some interesting options here. First off, they may offer a way for developers to write secure code and test it much faster. Keyword being “may” because the efficacy in Generative AI’s ability to write secure code in the first place is highly dependent on what the source of the training for the Gen AI model has been.
Large language models (LLMs) are “stochastic parrots”, in that they are basically faithfully regurgitating words (or bits of code) that they know are most likely answer to your prompt. They really don’t know the difference between good and bad code unless they have been shown this difference as samples in their training.
It is possible to fine-tune (train) an LLM to know this difference and know it well, but that may require a lot of data and compute (GPU) that makes it commercially unsuitable for a large number of development teams.
On the other hand, co-pilots may be perfectly equipped to generate clean-sheet code base for bootstrapping new applications, finding obvious vulnerabilities and static code issues in existing code, testing code for various security scenarios, suggesting fixes and testing them automatically.
Today, however, all these capabilities need to be unlocked through (a series of) prompts which have to be carefully engineered to give the best results. Which again brings back the problem to the developers ability to create such prompts. Bad prompts will result in bad code.
Also, since the “Generative” part of “Gen AI” is inherently based on probabilities of symbols or tokens, the output of co-pilots (LLMs) is very likely to be different even for similar prompts. “Hallucinations” are a symptom of the LLM output being wildly out of context precisely because of the indeterministic nature of the model itself.
The Dark Side: Bad Actors Using Gen AI
As good as Gen AI is for application developers, it also gives hackers and bad actors an equally powerful tool to weaponize vulnerabilities against us. This means more malware targeting applications we are developing. The need for securing applications early just increased many fold.
New Better FutureA
AI and co-pilots deployed in the right way can no-doubt increase productivity and improve security posture of our applications.
Co-pilots will get better and more compact. A co-pilot targeted for application development doesn’t really need a large model which knows the history of the world. It simply needs enough understanding of good and bad code. We are getting there already as a lot of custom compact models designed for specific co-pilot tasks are getting mainstream.
Recognizing the true power and limitations of left shift and co-pilots is important. A capable and responsible development team (humans-in-the-loop) combined with the speed and oversight of a tuned co-pilot could be nirvana we are all seeking in AppSec.