Can AI be used to finally secure software and data supply chains?
Software supply chain attacks loom large on the cybersecurity landscape, with threats and attacks such as SolarWinds, 3CX, Log4Shell, and now XZ Utils underscoring the potentially devastating impact of these security breaches. The latter examples of Open Source Software (OSS) attacks are a growing attack vector. This is being felt locally in Australia, according to a report from PwC.
Expect attacks on the open-source software supply chain to accelerate, with attackers automating attacks in common open-source software projects and package managers. Many CISOs and DevSecOps teams are unprepared to implement controls in their existing build systems to mitigate these threats. The coming year will see DevSecOps teams migrate away from shift-left security models in favour of "shifting down" by using AI to automate security out of the developers' workflows.
Here, I will discuss how AI can help developers work more efficiently while concurrently creating more secure code.
The importance of governance in the data supply chain
Security professionals must consider how security vulnerabilities extend to their data supply chains. Although organisations typically integrate externally developed software through their software supply chains, their data supply chains often need clearer mechanisms for understanding or contextualising data. In contrast to software's structured systems or functions, data is unstructured or semi-structured and faces a wide array of regulatory standards.
Many companies are building AI or Machine Learning (ML) systems on top of enormous data pools with heterogeneous sources. ML models on model zoos are published with minimal understanding of the code and content used to produce the models. Software engineers need to handle these models and data just as carefully as they do the code going into the software they're creating, with attention to its provenance.
DevSecOps teams must assess the liabilities of utilising data, especially when building Large Language Models (LLMs) to train AI tools. That demands careful data management within models to prevent the accidental transmission of sensitive data to third parties like OpenAI.
Organisations should adopt strict policies outlining the approved usage of AI-generated code, and when incorporating third-party platforms for AI, conduct a thorough due diligence assessment, ensuring that their data will not be used for AI/ML model training and fine-tuning.
AI security automation will help organisations transition from 'shift-left' to 'shift-down.'
The industry adopted the shift-left concept a decade ago to address security flaws early in the software development lifecycle and to enhance developer workflows. Defenders of systems have long been at a disadvantage - AI has the potential to level the playing field. As DevSecOps teams navigate the intricacies of data governance, they must also assess the impact of the evolving shift-left paradigm on their organisations' security postures.
Companies will begin moving beyond shift-left to embrace AI to fully automate security processes and remove them from the developer's workflow. This is called "shifting-down," because it pushes security into automated and lower-level functions in the tech stack instead of burdening developers with complicated and often difficult decisions.
GitLab's Global DevSecOps Report: The State of AI in Software Development found that developers only spend 25% of their time on code generation. AI can elevate their output by optimising the remaining 75% of their workload. That's one way to leverage AI's capacity to solve specific technical issues and improve the efficiency and productivity of the entire software development life cycle.
When we look back on the year that was, I expect we will reflect on how the escalating threats on OSS ecosystems adversely affected global software supply chains. The impact of this will catalyse substantial changes in cybersecurity strategies, including a heightened dependence on AI to safeguard digital infrastructures. The cybersecurity landscape is already transforming, with a growing focus on mitigating supply chain vulnerabilities, enforcing data governance, and incorporating AI into security measures. This transformation promises to steer DevSecOps teams toward software development processes with efficiency and security at the forefront.