AI coding security discussion with JFrog

Eyal Dyment, Vice President of Security Products at JFrog, shares his insights in this Q&A on the crucial considerations for developers and businesses when selecting an AI platform. With AI’s transformative role in coding and software development, Eyal addresses key security risks, the growing reliance on AI-powered technologies, and the steps developers can take to integrate these tools safely and effectively.

Selecting an AI coding security platform for development needs

Topics include the vulnerabilities inherent in public-facing AI/ML engines, such as data poisoning and malicious code injection, and how the "shift left" approach can mitigate risks early in the software development lifecycle. Eyal emphasizes the importance of collaboration between developers and security teams to ensure AI adoption remains both innovative and secure, offering a balanced perspective on the challenges and opportunities of leveraging AI in today’s development landscape.

ADM: What are the top security risks developers should be looking out for when developing with AI technology?

Dyment: There are quite a few security risks developers should always be looking out for due to the self-evolving nature of AI technologies, including the introduction of malicious code into AI/ML models, vulnerabilities in open-source software (OSS) used in AI, code integration with AI services, risky AI-generated code that has not been fully evaluated, and data poisoning. No matter how minor, cybercriminals can exploit these vulnerabilities to breach corporate networks and cause significant damage. Addressing these types of risks requires stringent security checks and a proactive approach to securing the software supply chain.

ADM: What types of AI-powered technologies are developers currently using to guide software creation?

Dyment: We are in the very early stages of understanding how AI-powered technology can be utilized to its full potential in software creation. As more and more developers are tasked with its integration, we see it largely being utilized for code generation and optimization. AI-powered coding assistants are also popular as they can provide error detection, correction and suggestions. While these tools are incredibly beneficial and can save both time and resources, they also raise security concerns.

ADM: Why can’t organizations simply block their developers from using AI technology or any other software component that might introduce risk to their organization? 

Dyment: AI technology isn’t going anywhere. While it introduces new risks, the advantages of using these tools far outweigh the potential drawbacks. AI is integral to modern software development, and many organizations already rely on AI/ML for critical tasks. Blocking AI would be a significant setback, stifling progress for both the organization and its developers. Instead, organizations need to equip developers with the correct resources so that they can utilize AI technology safely while remaining competitive and efficient. Proper security training and proactive measures can mitigate risks without forgoing AI’s advantages.

ADM: What is the fastest way for a developer that’s not working in AI now, to get started with safely leveraging the technology?

Dyment: Considering security early in the software development lifecycle has not traditionally been a standard practice amongst developers. Of course, this oversight is a goldmine for cybercriminals who exploit ML models to inject harmful malware into software. The lack of security training for developers makes the issue worse, particularly when AI-generated code, trained on potentially insecure open-source data, is not properly screened for vulnerabilities.

As a developer, the first thing to do is understand where the potential security vulnerabilities lie and how they can effectively be addressed. Adopting a collaborative "Shift Left" approach with security teams will ensure that security measures are implemented from the very beginning of the development process. This is critical when working with AI tools because much of the created code and models come from external sources, posing security risks. A shift left approach will detect these vulnerabilities from the start. Utilizing vetted AI and machine learning tools as much as possible will also reduce risks and ensure secure usage.

ADM: How does the “shift left” approach alleviate future security concerns?

Dyment: By integrating security measures early on in the software development lifecycle, the potential for future vulnerabilities are identified and mitigated at the earliest stages. Security compliance is also improved, particularly when using external code or models. A proactive approach to security empowers developers to embrace AI technology confidently, enabling them to focus on innovation and efficiency without fear.

ADM: Why is it crucial for developers and security teams to eliminate silos and collaborate throughout this process?

Dyment: Collaboration is key when it comes to integrating robust security measures throughout the software development process. Collaboration enables developers to act as security champions, bridging the gap between development and security operations (DevSecOps) while encouraging knowledge-sharing to align on best practices and minimize oversights. This unified approach strengthens defenses against cybersecurity threats, a critical need given the self-evolving nature of AI. By prioritizing proactive security strategies and teamwork, organizations can harness AI safely and effectively.