#Infosec2024: Tackling Cyber Challenges of AI-Generated Code


Programmers could soon be using AI-generated code in software development, but the cybersecurity community must overcome security and data privacy risks to grasp its full potential.

During a talk at Infosecurity Europe 2024, Lucas von Stockhausen, executive director for application security engineering at Synopsys, shared the top challenges programmers face when using generative AI in their work.

How AI Helps Coders Today

Generative AI will undoubtedly disrupt software coding, said the former engineer, quoting a statement from consultancy Gartner.

“In fact, AI technologies are already having a significant impact on programmers’ productivity,” he continued.

For instance, a 2022 GitHub Copilot analysis showed that AI improved code deployment by 25% and increased developers’ overall productivity by 50%.

However, while Stockhausen said these numbers will likely increase as generative AI adoption grows, he also admitted that fully AI-generated code use cases do not exist yet.

The main reason is that current generative AI tools are good at specific tasks but not so much at complex requests.

“For example, GitHub Copilot has proved to be good at avoiding certain security weaknesses, like cross-site scripting or improper restriction of operations, it also seems particularly prone to others, such as improper input validation or operating service command injection ,” Stockhausen added.

Other reasons include the tendency of large language model (LLM)-based tools to reuse vulnerable or improperly written code, just as they sometimes provide incorrect information or hallucinations.

“Today, the three types of AI uses in code generation are AI coding assistants, AI-enabled applications and commercial large language models helping programmers,” he added.

Top Challenges of AI-Generated Code

Coding-designed generative AI tools will eventually become more efficient and precise, Stockhausen said.

Although these predicted advancements are to be welcomed, he added that generating code using mainly an AI tool will still come with other significant, technical, security and privacy risks.

This is why the cybersecurity community should already build ways to mitigate some of the top challenges, including:

  • Lack of visibility into AI-generated code
  • Open source software license violations
  • Code security and quality
  • Exponential proliferation of technical debt
  • Intellectual property (IP) leakage into an LLM ecosystem

“Resources like the OWASP Top 10 for LLMs are a great place to start, but they won’t be enough to address all these challenges,” Stockhausen said.

Read more: OWASP Releases Security Checklist for Generative AI Deployment

Securing Tomorrow’s AI-Generated Code Tools

Stockhausen recommended a list of three priorities to tackle these risks before AI-generated code becomes mainstream.

These include:

  1. Define AI use policies and practices with IP protection as a top priority
  2. Select your AI coding assistant carefully
  3. Don’t just trust AI-generated code, verify it the same way you would verify human-generated code



Source link