Best practices for using AI in the SDLC
Frank Fischer
July 19, 2023
0 mins readAI has become a hot topic thanks to the recent headlines around the large language model (LLM) AI with a simple interface — ChatGPT. Since then, the AI field has been vibrant, with several major actors racing to provide ever-bigger, better, and more versatile models. Players like Microsoft, NVidia, Google, Meta, and open source projects have all published a list of new models.
In fact, a leaked Google document makes it seem that these models will be ubiquitous and available to everyone soon.
Source: Dr Alan D. Thompson, LifeArchitect.ai (May/2023), https://s10251.pcdn.co/wp-content/uploads/2023/03/2023-Alan-D-Thompson-AI-Bubbles-Rev-7b.png
As a person who has been extremely active in the field of AI for many years, I find this public interest extremely exciting! But I also find many of the news stories, well, a bit concerning. AI is an amazing technology, but after seeing students get busted for handing in AI-written papers and even a lawyer citing hallucinated cases in a court brief, it's important for all of us to realize AI isn't a silver bullet — it's a tool. And tools can break. Even really fancy ones built on cutting technology.
In this post, we'll look at how AI can be used to improve the software development lifecycle (SDLC) and the pitfalls that can come from blindly applying AI to your existing processes.
AI and software development: The good and the bad
Applying AI to your products can make them stand out in the crowd (even if only as bells and whistles), but applying AI within the SDLC (development, monitoring, management, etc.) can be a major game changer when you're trying to outmaneuver your competition. Here are some of the ways:
Efficiency: AI-backed tools can quickly process massive amounts of code or log files.
Improved code security and quality: With the right tools, AI can find issues and provide possible code fixes instantly.
Increased innovation in code: Code suggestions can bring in new ideas and different ways to solve an issue.
Boosted process speed: AI can speed up the process by preparing the information necessary to make a decision and provide elements (like code snippets) so teams can simply execute.
Lowered cognitive load: AI can help humans understand an unfamiliar situation more quickly, making the work less exhaustive.
But, a new productivity tool comes with new risks and challenges:
Data leaks: Sensitive information can accidentally be leaked if it's fed into a tool that uses queries to further train models.
Skill atrophy: Your workforce can start to lose abilities if they rely to heavily on AI to provide correct answers or insights.
Hallucinations: AI models (such as LLM) suffer from what is called “hallucinations”, which means the models produces extremely convincing argumentation that are simply not true.
Bad suggestions: If an AI is trained on bad code, it will suggest bad fixes based on its training set.
Fakers: AI enables persons with low to no experience and knowledge in programming to produce code. It is expected that the amount of source code will significantly increase within the coming years. As a CISO, engineering leader, or hiring manager, you need to be prepared for this.
License infringement: There is currently a huge discussion about the licensing of the training data. A worst-case scenario would be that code produced by models that use copyleft licenses would also be copyleft — meaning your application would suddenly become open source.
Bad Actors: While this one is not specific to the SDLC, there is no avoiding that AI will be used by attackers. There are more sophisticated scenarios like data poisoning (“training” an intrusion detection system on a certain pattern that when it is used later it won’t be recognized as malicious), but those are not common yet. Realistically, we can expect that the level of expertise required to design and execute a qualitatively better attack has been lowered significantly. So we will likely see more frequent and sophisticated attacks.
Adopting new tools is exciting — and, at times, overwhelming. To simplify the process of integrating AI into your SDLC, we created a cheat sheet with eight best practices to keep you on track.
Download the cheat sheet today for more information, and start your free trial or book a demo with one of Snyk's security experts to learn how Deepcode AI can turbocharge your SDLC.
Own AI security with Snyk
Explore how Snyk’s helps secure your development teams’ AI-generated code while giving security teams complete visibility and controls.