Friday, December 13, 2024

HomeCyberSecurityDon’t be afraid of GenAI code, but do be wary

Don’t be afraid of GenAI code, but do be wary

Artificial intelligence (AI) isn’t the next big thing. It’s the now big thing. Yes, it’s been in the works for almost 70 years. Very smart people with very large amounts of money, ridiculous levels of computing power, and access to public (and in many cases private) information across the globe have been developing it for decades.

In many cases the results have been mixed, even on rudimentary tasks. Recall the iconic rant, not all that long ago, of a user who posted: “Dear Autocorrect. Stop fixing my swear words, you piece of shut.”

But even if it still isn’t totally ready for prime time, it is prime time. AI is everywhere and doing just about everything from diagnosing illnesses to designing homes, writing research papers, creating deepfake porn, autocorrecting your text—and creating software. Generative AI (GenAI) tools, built from large language models (LLM) fed staggering amounts of data, can deliver software code that turns into software products. And as we all know, software is not just eating the world, it is running the world.

That makes those tools almost irresistibly seductive. They’re blazing fast; they don’t need sleep, coffee breaks, or vacations; they don’t demand a salary and benefits; and they don’t try to unionize. They’re a manager’s dream.

So almost overnight—it’s less than 18 months since ChatGPT plus a host of competing chatbots were released—GenAI code is now considered the fourth major component of software. The other three, which have been around for decades, are the code you write (proprietary), the code you buy (commercial), and (mostly free) open source software (OSS).

There’s nothing inherently wrong with that. Increased productivity usually means increased profits and lower prices.

Just don’t assume that because GenAI code is faster, it’s also better. It’s derived from the vast repository of existing imperfect software written by imperfect humans, which means it’s imperfect in the same ways.

Studies such as the annual “Open Source Security and Risk Analysis” report by the Synopsys Cybersecurity Research Center document that.

– Of the 1,703 codebases scanned for the report, 96% contained OSS, 84% had at least one vulnerability, and 48% contained at least one high-risk vulnerability.  

– Fifty-four percent had license conflicts, with 31% containing OSS with no license.  

GenAI code might be even a bit more imperfect—most experts compare its capabilities to those of a junior developer who can produce basic, serviceable code, but who needs heavy supervision. And the code produced requires the same rigorous testing that any human-generated software needs.

Analyst firm Gartner made that point in a forecast about risk management spending in Australia. In a press release it forecast growing adoption of GenAI, but vigorously debunked the hype about it eliminating the need for testing, predicting that by 2025, “GenAI will cause a spike in the cybersecurity resources required to secure it, causing more than a 15% incremental spend on application and data security.” 

Indeed, given that if GenAI tools are that much faster than humans, they will create that much more code to test.

And it’s not just the inherited vulnerabilities from existing software that can cause problems. GenAI tools can get “poisoned” through criminal hackers injecting malicious code samples into the training data fed to an LLM. That can lead the tool to generate code infected with malware.

All of which makes testing essential. And the three essential software testing methods—static analysis, dynamic analysis, and software composition analysis (SCA)of OSS—should be mandatory to ensure the security and quality of software.

GenAI code should also parallel OSS in that it’s critical to know provenance—who made it, who maintains it (or not), what other components it needs to function (dependencies), any known vulnerabilities in it, and what licensing provisions govern its use. An SCA tool helps find that information, so developers know if they need to fix something or comply with licensing.

That’s why a Software Bill of Materials (SBOM)—an inventory of the entire supply chain for a software product—has become essential to using OSS safely, and is just as essential for using GenAI code safely.

Bottom line: Don’t fall for scare headlines about GenAI code—it offers multiple benefits—but also be aware of its limits and risks. Use it for routine and repetitive coding tasks and leave the bespoke and intricate segments of an application to humans. And test it with the same rigor that any other software code needs.

Because again, remember that it comes from other software.

To learn more about how Synopsys can help you manage your GenAI code visit www.synopsys.com/software.


Source link

Bookmark (0)
Please login to bookmarkClose
RELATED ARTICLES
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img