Snyk Blog

Learning from cloud transformation as we move to AI

Written by:
David Lugo
David Lugo
wordpress-sync/feature-5FoCS4

May 21, 2024

0 mins read

Development teams of all sizes are embracing the excitement and possibility of using AI tools to build software. Coding assistants like Google Gemini and Github Copilot have the potential to accelerate development like never before, and developers are adopting these tools — whether or not leadership has officially approved them. 

As your team considers the best ways to adopt this new technology, this transition might feel like déjà vu. These messages around AI (new levels of speed, innovation, etc.) probably sound like another digital transformation we saw about ten years ago — the introduction of cloud. 

Cloud transformation changed software development in many ways, forcing teams to refine their processes and increase their velocity as they dealt with emerging technology like infrastructure-as-code (IaC) and containers.

In the same way, AI technologies will change the way we build software. Developers can use AI to generate code in a fraction of the time it would take them to write it manually. We saw the same leveling up of speed and efficiency when cloud transformation arrived on the scene.

But many of us are also familiar with the growing pains associated with this type of technology shift, such as new security risks and confusion around ownership. While AI can feel like a giant leap for some organizations, it’s not unlike other transformations we’ve lived through. The lessons learned from the shift to the cloud a decade ago can translate well to the changes we face with emerging AI technology today.

Lessons learned from cloud transformation

For many organizations, cloud transformation uncovered issues that were already there. Inefficient handoffs between teams or legacy tools might’ve gone unnoticed in an on-prem environment. However, teams couldn't hide these inefficiencies once organizations moved to the cloud. Organizations quickly found out that they would need to evolve in three areas. 

Adopting DevOps tooling

As organizations moved to a cloud DevOps approach, they quickly realized that many existing tools built for on-prem environments wouldn’t cut it. Security teams especially needed to move to tools that would keep up with the fast pace of change seen in an iterative DevOps approach, or else they’d frustrate developers and impact business efficiency. 

To adapt to this new pace of change, organizations turned to DevSecOps, integrating security testing throughout the software development lifecycle rather than waiting until the end of the process to test. Transitioning to DevSecOps meant that teams needed to leave traditional tooling and adopt new, purpose-built tools for the cloud. This tooling must be tested rapidly, aligned with agile processes like CI/CD, and work seamlessly with cloud-focused items such as containers and open source code.

Lesson learned: To embrace digital transformation, adopt tools that are purpose-built for new technologies and can fit seamlessly into agile workflows. 

Today’s new AI technologies also require the right tech stack. Teams should consider tooling based on how it aligns with modern AI solutions. In addition, these tools must be purpose-built for the unique aspects of AI-generated code, with features such as labels for differentiating AI-generated versus human-written code

Fostering shared ownership

Cloud migration also meant that shared ownership would look different to organizations. For example, IT infrastructure went from physical structures owned by the IT team to infrastructure-as-code (IaC), which the development teams had to provision instead. Development teams also had to take ownership of security throughout the software lifecycle, working to scan and fix issues in their code. 

To foster this shared ownership for various aspects of the SDLC, companies began to develop cloud centers of excellence and security champion programs. These training programs empowered teams to collaborate in building secure, high-quality applications in a cloud environment.  

Lesson learned: To embrace digital transformation, roll out training programs and centers of excellence to facilitate best practices across the organization. 

To adopt AI without compromising security or quality, today’s teams must also consider training programs that emphasize AI best practices and even consider establishing an AI center of excellence.  

Creating integrated processes

As part of moving from a waterfall model to a DevSecOps approach, teams had to bridge process gaps, such as integrating security testing into development workflows. Handoffs between stages of development had to be seamless, with as few context shifts as possible. For example, teams began to use security tools and processes that integrated with common development tools, such as CI/CD tooling, repositories, and CLIs. These seamless integrations ensured a more comprehensive approach, enabling teams to use the cloud to its full potential for velocity and collaboration. 

Lesson learned: To embrace digital transformation, bridge process gaps by minimizing context shifts and integrating security into existing developer workflows. 

Using AI safely also requires integrated processes, such as instituting a security companion that fits into existing GenAI workflows. If developers have to take too many extra steps to secure their AI-generated code, it will defeat the whole purpose of using AI for velocity in the first place.

Adapting to the speed of AI

AI is doing exactly what the cloud did ten years ago — supercharging companies' ability to build applications more quickly and efficiently. But similar to cloud migration, organizations must take intentional steps to adapt to these changes smoothly and securely.

Snyk recently announced a unique collaboration with Gemini Code Assist to support organizations as they transition to AI-assisted development. This partnership brings Snyk Code capabilities into the existing workflows of development teams using Gemini. It enables developers to scan their AI-generated code in seconds, evaluating code created by Gemini in context with the rest of the application. Then, it offers step-by-step fix suggestions right in the IDE. By finding and fixing vulnerabilities in their AI-generated code as soon as they commit it, developers can continue moving with the velocity that AI enables without compromising security.

Learn more about our partnership with Gemini Code Assist.

Posted in:AI
wordpress-sync/feature-5FoCS4

Best practices for AI in the SDLC

Download this cheat sheet today to learn best practices for how to leverage AI in your SDLC, securely.

See the cheatsheet
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon