AI promises to improve application security

It’s not clear to what degree artificial intelligence (AI) might improve cybersecurity but there is some cause for optimism. A survey of 3,093 developers conducted by Evan Data finds that a third (33%) expect AI to improve code security. Exactly how and when, however, is unclear.

Not every application developer is equally well-versed in security, so generative AI platforms are already helping many developers write more secure code by making recommendations. However, there are also going to be instances where generative AI platforms might increase the number of vulnerabilities in applications.

The training of the first wave of generative AI platforms stems from that issue. As an example, ChatGPT’s training process included collecting content from various sources on the Web, which encompassed code samples with known vulnerabilities in many instances. Not surprisingly, some of the code being generated by these platforms also has the same known vulnerabilities. Developers who lack cybersecurity expertise are inclined to trust the recommendations made by generative AI platforms, which may cause an increase in vulnerabilities finding their way into applications as the pace of code writing accelerates.

The good news is that the next generation of large language models (LLMs) used to generate code is undergoing training with samples that experts have vetted for vulnerabilities. Embedding these LLMs into the tools developers use to write code will enhance the overall quality of the generated code. Aside from the developers themselves, no one is likely to be happier about that than the cybersecurity professionals who spend a lot of time looking for these vulnerabilities in software.

Theoretically, at least, AI should ultimately improve the relationship between cybersecurity professionals and application developers. Many of the vulnerability alerts that developers receive often turn out to be false alarms, primarily because either the vulnerability isn’t actually present in the code running in a production environment or the application itself isn’t connected to the Internet. The more alerts inundate developers, the more likely they will stop paying attention to them. AI creates an opportunity to both identify and remediate vulnerabilities at the time a developer is writing code, which should reduce the number of alerts being generated long after a developer has moved on to their next project.

Most developers will only spend about 10% of their time creating patches for existing applications. The pressure to meet deadlines for new applications is often too great for them to troubleshoot existing applications. However, if a generative AI platform can create the needed patch it should become more feasible for junior developers to fix issues in an application they did not initially write without breaking an application. The primary reason organizations don’t patch applications as often as they might is developers are usually concerned the patch being applied will break an application, so a known vulnerability may persist because the risk of disruption to the business might be too great.

Of course, in the age of ransomware, the business may not have more to lose by not patching applications when the data that the organization depends on to function suddenly becomes encrypted. These days, not patching an application often creates more risk than patching it.

Hopefully, AI will one day resolve all these inherent conflicts. In the meantime, however, cybersecurity professionals might want to make sure all that code being generated today by AI isn’t about to create more harm than good.