Remain code-compliant in a regulated, AI-powered world
None
<div class="col-xs-12 col-sm-9 two2575Right"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> <h2 class="title "><span class="text-size-smaller" style="color: #3c3c3c;"> </span></h2> </div> <div class="component-text"> <p>Artificial intelligence (AI) has already transformed software development. The productivity gains that AI coding assistants like ChatGPT, GitHub Copilot, and Amazon CodeWhisperer can deliver are undeniable. However, AI tools bring their own set of challenges, particularly when it comes to maintaining code compliance.</p> <p>AI coding assistants can introduce code defects that impact software reliability, security vulnerabilities, intellectual property (IP) infringement, and more. These risks are especially significant in industries where software quality is paramount due to safety concerns (healthcare, manufacturing, transportation, etc.).</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> <div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&utm_source=do&utm_medium=referral&utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> <p>In this blog, you’ll learn some practical ways to maintain code compliance in today’s AI-powered development landscape.</p> <div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="8bab3ce8743694c3aaec4efe-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="8bab3ce8743694c3aaec4efe-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div> </div> </section></div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-top-sm vert-pad-bottom-sm"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> </div> <hr class="separator"> </section> </div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="1" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-sm"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> <h2 class="title "><span class="text-size-normal" style="color: #5A2A82;"> Key takeaways </span></h2> </div> <div class="component-text"> <ul> <li>AI code assist tools (Copilot, ChatGPT) boost productivity but introduce defects and vulnerabilities.</li> <li>Studies: GitHub Copilot is inaccurate about 54% of the time; ChatGPT about 35%.</li> <li>Mitigation strategies include code reviews, automated testing, SAST/DAST, compliance checks.</li> <li>Maintain human oversight and leadership to ensure regulatory adherence.</li> <li>Use developer-friendly AppSec tools like Black Duck to shift quality/security left.</li> </ul></div> <div class="buttons align-center"> <a class="component-button primary" href="https://www.blackduck.com/resources/white-papers/automated-static-analysis.html" rel="noreferer noopener">Learn More</a> </div> </section></div> </div> </div> <div class="image aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-md"> <div class="container "> <div class="component-image"> <!-- markup for zoom in/out image--> </div> </div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="2" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-md"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> <h2 class="title "><span class="text-size-normal" style="color: #5A2A82;"> Benefits and risks of AI coding assistants </span></h2> </div> <div class="component-text"> <p>For most developers, the productivity benefits of AI coding assistants outweigh potential risks. A recent study revealed that developers using GitHub Copilot benefit from a whopping <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4945566.">26.08% increase in completed tasks</a>. And data scientist Sahin Ahmed found that using the AI coding assistant effectively turns an <a href="https://medium.com/@sahin.samia/can-ai-really-boost-developer-productivity-new-study-reveals-a-26-increase-1f34e70b5341">eight-hour workday into 10 hours of output</a>.</p> <p>The study evaluated the impact of generative AI on software developer productivity via randomized controlled trials at Microsoft, Accenture, and an anonymous Fortune 100 company. It was conducted by researchers at Princeton University, MIT, Microsoft Corp., and the University of Pennsylvania.</p> <p>However, AI coding assistants can also introduce very real risks. A recent <a href="https://arxiv.org/pdf/2304.10778">Bilkent University study</a> revealed that the latest versions of ChatGPT, GitHub Copilot, and Amazon CodeWhisperer generate inaccurate code 34.8%, 53.7%, and 68.9% of the time, respectively. Worse, <a href="https://arxiv.org/pdf/2211.03622">Stanford University research</a> demonstrated that users of AI code assistants “wrote significantly less secure code” but were “more likely to believe they wrote secure code.”</p> <p>Software embedded in many physical products must be exceptionally reliable, because failure could threaten personal safety, property, and the environment. Embedded software may be subject to functional safety regulations as well. Failure to comply with these regulations can have significant legal and financial implications. And defects that result in outages or negatively impact user experience can damage an organization’s reputation and give competitors an advantage.</p> </div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="3" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-sm"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> <h2 class="title "><span class="text-size-normal" style="color: #5A2A82;"> Practical mitigation: testing, SAST, DAST and compliance </span></h2> </div> <div class="component-text"> <p>In this landscape, it is essential to take measures to minimize the risks of AI coding assistants. Rigorous testing, validation, and oversight are required to ensure that AI-generated code is reliable and secure. This includes, but is not limited to:</p> <ul> <li><b>Code reviews:</b> Systematic human reviews of AI-generated code to identify potential errors, security flaws, and violations of coding standards<b></b></li> <li><b>Automated testing:</b> Automated unit tests, integration tests, and security scanning to ensure code functionality, identify vulnerabilities, increase developer productivity, and eliminate human error<b></b></li> <li><b>Vulnerability checks:</b> Checks that identify and mitigate vulnerabilities in AI-generated code<b></b></li> <li><b>License and compliance checks:</b> Checks to ensure AI-generated code doesn’t violate any licenses or compliance requirements<b></b></li> <li><b>Static application security testing (SAST):</b> <a href="https://www.blackduck.com/static-analysis-tools-sast.html">Scanning by SAST</a> tools to identify potential security issues or code quality problems before code is executed<b></b></li> <li><b>Dynamic application security testing (DAST): </b><a href="https://www.blackduck.com/dast.html">Scanning by DAST</a> tools to identify runtime errors or unexpected issues in a controlled environment<b></b></li> <li><b>Continuous integration and continuous delivery (CI/CD):</b> Integrating the testing and validation process into the CI/CD pipeline to ensure code changes are automatically checked for errors and vulnerabilities<b></b></li> </ul> <p>Maintaining human oversight and expertise throughout the AI-assisted development process is critical to ensure that code meets a project’s specific needs and standards. Leadership plays a crucial role in this process. When leaders set the tone from the top, it sends a clear message about the importance of code compliance. This approach can help to instill a sense of responsibility and accountability among all team members.</p> <p>Regular training sessions for developers are also required. Compliance training should emphasize continuous learning and cover coding standards, security protocols, data privacy, and ethical guidelines.</p> </div> </section></div> </div> </div> <div class="image aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <div class="component-image"> <!-- markup for zoom in/out image--> </div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="4" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-md"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> <h2 class="title "><span class="text-size-normal" style="color: #5A2A82;"> Choosing the right AppSec solution </span></h2> </div> <div class="component-text"> <p>In complex IT environments, AppSec tools that increase visibility into the codebase are essential. By centralizing risk management, development teams gain a clear and comprehensive view of the code, making it easier to identify and address potential issues.</p> <p>When selecting an AppSec solution, look for developer-friendly options that integrate with IDEs, code repositories, and CI/CD pipelines, and support the programming languages, frameworks, and platforms developers use. Black Duck offers solutions that enable development teams to easily</p> <ul> <li>Identify defects early in the development process, when they’re easiest to resolve and before they impact customers<b></b></li> <li>Eliminate critical defects and vulnerabilities to ensure customer safety and comply with regulatory requirements<b></b></li> <li>Identify and mitigate software supply chain vulnerabilities to protect systems and data from being exploited<b></b></li> <li>Prevent legal issues and IP risks by detecting code pulled from software with license obligations, including small snippets</li> </ul></div> </section></div> </div> </div> <div class="anchor aem-GridColumn aem-GridColumn--default--12"> <div id="5" class="component-anchor"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> </div> </div> </div> <div class="text aem-GridColumn aem-GridColumn--default--12"> <div class="background-component vert-pad-bottom-sm"> <div class="container "> <section class="component-textcomp text-align-left"> <div class="component-text"> <h2 class="title "><span class="text-size-normal" style="color: #5A2A82;"> Black Duck helps enforce AI-era code compliance </span></h2> </div> <div class="component-text"> <p>Maintaining code compliance in the AI-driven software development landscape demands a proactive approach. By prioritizing quality, security, and regulatory adherence, organizations can build robust, reliable software that meets the highest standards.</p> <p>For more information, check out “<a href="https://www.blackduck.com/resources/white-papers/automated-static-analysis.html">Build Reliability and Security into Your SLDC</a>.” This white paper explores how to ensure your software is free of critical defects, integrate static analysis seamlessly into your SDLC, and accelerate your development velocity. </p> </div> <div class="buttons align-center"> <a class="component-button primary" href="https://www.blackduck.com/resources/white-papers/automated-static-analysis.html" rel="noreferer noopener">Download the Whitepaper</a> </div> </section></div> </div> </div> <div class="blogsDev aem-GridColumn aem-GridColumn--default--12"> <div class="container "> <section class="cmp-blogsdev"> </section> </div> </div> </div> </div><div class="spu-placeholder" style="display:none"></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.blackduck.com/blog.html">Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Corey Hamilton">Corey Hamilton</a>. Read the original post at: <a href="https://www.blackduck.com/blog/ai-powered-code-compliance-strategies.html">https://www.blackduck.com/blog/ai-powered-code-compliance-strategies.html</a> </p>