When Generative AI (GenAI) assisted coding companions were lauded for improving developer productivity by 50%, no one saw this could mean they could also save two days’ work for phishers. The technology that powers ChatGPT also powers FraudGPT – a legit, all-in-one cybercrime solution, which has set off alarm bells for enterprise leaders. As per a Gartner survey, 57% of IT and security leaders are concerned about leaked secrets in AI-generated code.
While enterprises cannot afford to be fence-sitters regarding GenAI, they must make certain trade-offs and investments before they can use GenAI in their workstreams securely. First and foremost, security should become a core business goal, not a technical requirement. This calls for prioritizing security as the top-of-the-agenda item even before the application development starts.
Secure-by-Design is an approach that proactively identifies all known vulnerabilities and creates a minimal viable security blueprint. This mindset builds security protocols into software applications from ideation to coding through deployment and maintenance. It makes applications secure by default, assuring out-of-the-box security without the end user needing to configure changes or add security features at an additional cost.
Fortifying GenAI-Assisted Code with Secure-by-Design
Before delving into the specifics of implementing “Secure-by-Design,” it is essential to debunk the myth of achieving 100% security in software applications. Yet a large number of code vulnerabilities can be traced back to a relatively smaller set of root causes, making it essential to cover all known bases that could potentially become downstream system vulnerabilities.
Here’s how Secure-by-Design can help enterprises safeguard GenAI-generated applications:
- Minimize the Threat Surface: It is widely acknowledged that absolute security is unattainable. This, however, should not lead to complacency but rather to a heightened commitment to fortify applications against potential threats. Secure-by-design practices orient teams to an application blueprint that factors in potential and known threats even before the code is written, effectively minimizing the threat surface.
- Secure from the Start: Secure-by-Design practices compel enterprises to think security-first. These practices ensure the code shipped to production is secure against known threats, the application has enough guardrails to defend against common cyber risks and addresses known vulnerabilities. By not treating security as an afterthought, secure-by-design practices can help fortify the security posture while also complying with regulations better with lowered maintenance and patching costs.
- Enable the DevSecOps Advantage: Most GenAI-coding companions are DevSecOps-enabled, i.e., they shift testing left in the software lifecycle – running unit tests as the code is written. This can help enterprises ward off security breaches and save up to $1.7 million in costs of fixing a breach compared to enterprises that do not embrace DevSecOps fully.
Six-Point Checklist to Operationalize Secure-by-Design
Building a security-first mindset requires evaluating all decisions made during the software development lifecycle with a security lens. These decisions create a series of bulwarks against known vulnerabilities that could get overlooked if security considerations are brought in closer to go-live or even after it. Since most cyber-attacks happen not due to a single vulnerability but a series of system failures that allow bad actors to progressively gain access to critical applications or data, building in a series of security bulwarks that can safeguard the overall security posture, even if one of the security mechanisms is compromised, is key to truly securing applications in the age of GenAI.
These bulwarks could be:
- Consider Least Privilege: Least privilege is analogous to JIT (Just in Time) principle that should be encoded into the application to allow access based on user profile, role, and context. This requires considering the object models, API granularity, and data classifications to enable the least privilege principle. Tools like CodeWhisperer will consider this by default.
- Review Third-party Libraries: Coding companions leverage third-party and open-source libraries, making it essential to evaluate inherent security risks. Enterprises must maintain a software bill of materials (SBOM) to list all third-party, open-source components and their licensing, which can help identify vulnerabilities and manage risks by building protection around known risks until they are fixed.
- Account for Mobility: As hybrid work culture becomes a norm, users need access to applications from locations, networks, and devices that cannot be directly controlled. Mobility requirements are fulfilled by APIs over the internet, and while coding, teams need to design checkpoints that allow minimal viable mobile access, with further access requests put through more stringent access controls.
- Automate Last-Mile Security: While GenAI coding tools automate much of the testing, security vulnerabilities may still arise when the software is deployed. It helps to automate configurations for the end user, log and alert generation, and automated batches to review failed jobs. Features such as auto-recovery, auto-scaling, circuit breakers, and auto fail-safe can be embedded into the design phase to ensure high application availability.
- Review Cloud-specific Design: Given the prevalence of cloud deployment, conducting a cloud posture assessment becomes paramount. Designing applications with cloud-specific security aspects in mind, such as key management, certificates, security policies, multi-tenancy, Web Application Firewall (WAF) protection, and data encryption, is crucial.
- Review Default Configuration: Default configurations for plug-and-play applications are among the most exploited vulnerabilities. Enterprises should evaluate if these are required and, in critical cases, force users to update in the stipulated time.
GenAI as a means for improved security
Secure-by-Design principles should ideally apply to all sorts of software development, but now, with the advent of GenAI-coding assistants, it has become mainstream. The need to shift security left to deliver software that is compliant, secure, and accountable for customer safety has now gained traction, with the European Union’s Cyber Resiliency Act mandating IT firms to implement security practices throughout the product lifecycle.
At Persistent, our approach to application security expands beyond the legacy approach of discovering, identifying, analyzing, and remediating vulnerabilities. We take a holistic approach, going several levels above the code to account for business impact, risk, and asset categorization to create a risk-based blueprint for development teams to refer to and build on. Aligning security considerations with business contextualization, we enable enterprises to prioritize application security and automate the remediation process, delivering secure-by-default code.
Onboard secure-by-design principles with Persistent. Click here to get started.
To learn more about our GenAI philosophy, click here.