Published on: March 10, 2024
Pieter Danhieux, Co-Founder and CEO of Secure Code Warrior, recently discussed the evolving role of developers and the integration of AI tools in software development with SafetyDetectives. He emphasized the need for developers to prioritize security practices and provide oversight to AI-generated code. Danhieux highlighted essential security benchmarks for both AI assistants and developers, stressing the importance of visibility, data-driven measurement, and flexibility in security programs.
Can you introduce yourself and talk about what motivated you to co-found Secure Code Warrior?
Sure thing. My name is Pieter Danhieux, and I’m the Co-Founder and CEO of Secure Code Warrior, a global security company that makes software development better and more secure.
Gadgets and electronics have always interested me. When I was younger, I used to spend countless hours pulling apart my family’s computer and radios and putting them back together. Even into early adulthood, my obsession entered the software realm where I began testing its limits and finding ways to break it. I spent my free time breaking into ATMs, cars, websites – and even traveled alongside 20-30 other ethical hackers who shared the same thrill of finding cracks within software code. 20+ years later and I still came across one common theme: it wasn’t getting any harder to break into these systems. Decades had passed and the same code bugs weren’t improving.
I realized I had spent so much time training individuals to break in, but wasn’t focused on the root of the problem. This led to a passion for cybersecurity and how to empower software engineers to proactively defend their software and stop insecure code from being introduced in the first place.
How do you perceive the evolution of the developer role into “architectural builders” in the context of shifting focus towards secure code applications, and what are the key factors driving this transformation?
As new generative AI tools are adopted by keen development teams, organizations will need to figure out how they can trust the output of code assistance tools from a security, legal and IP perspective, and how these tools and outputs can be most effectively leveraged.
Generative AI still lacks the human oversight needed to verify code sequences and processes. As such, while AI may eventually enhance and be the driver behind code development, the developer role will shift its focus and responsibility toward the contextual application of that code. These architects will be in charge of understanding the strengths and inherent weaknesses of what their AI tools generate and navigating them as the master “pilot,” ultimately making decisions with a holistic, security-centric understanding of how components are used.
Over the next year or so, the concept of the “average” developer as we know it will be left behind, replaced by developers working in tandem with AI who will use its capabilities as a stepping stone to advance to more challenging, technical projects.
As organizations increasingly adopt generative AI tools for code assistance, what challenges do you foresee in terms of ensuring the security, legality, and intellectual property protection of the generated code, and how can developers address these challenges effectively?
AI tools for code writing and code analysis – that is, tools that can discover vulnerabilities within code – are still in their early stages. We have yet to see AI that can generate completely secure code in every context, or catch every vulnerability/weakness within a codebase.
While AI tools can certainly assist developer productivity, they must be utilized safely. The most challenging aspects of integrating these AI tools into business operations are determining which outputs can be trusted, the strengths and weaknesses of each tool, which tools offer the best options for a company’s tech stack – and how teams can ensure their results are consistent if everyone is using a different tool/process. On top of this, there is the inherent challenge of measuring how much public data is available for different coding languages that AI tools can be trained on to generate secure code. LLMs are only as good as their training data, and there is a huge margin for error, especially for less popular languages.
Addressing these challenges starts with hiring security-focused, top developers to provide the correct verification and implementation oversight. These developers must consider the output of their AI tools with a grain of salt, considering hallucinations and false results are still a leading concern when implementing recommendations. Deciphering security best practices and spotting poor coding patterns that can lead to exploitation is a critical skill that developers should prioritize. This “human perspective” is what development teams need to be able to anticipate and defend against increasingly sophisticated attack techniques.
Could you elaborate on the role of specialized, highly-skilled developers in tandem with AI, acting as project managers, designers, and architects? How does this collaboration reshape traditional development workflows, and what are the implications for security and code quality?
Over time, it can be presumed that developers will enjoy significant productivity gains and write less code themselves. Instead, they will focus more on software architecture and how their projects align with more comprehensive business goals and initiatives. Developers will leverage AI tools for more tactical tasks that can afford to be automated – with thorough reviews, of course – while focusing on providing strategic counsel to their companies in areas like compliance requirements for data and systems, design and business logic, and threat modeling practices for developer teams.
In terms of reshaping traditional development workflows, AI tools will eventually be seen as “companions” or “co-pilots” to developers, responsible for generating starting points for code or offering suggestions where helpful. But this should only be the case once the developers have proven their security awareness and skills to ensure best practices are always followed and that the tools will not be used as a mere crutch to make up for a lack of foundational security knowledge. Used effectively, this workflow has all the potential to increase productivity while maintaining security.
By far the greatest challenge will be maintaining code quality. We are already dealing with vulnerable third-party components as a key threat vector that has enjoyed a spot in the OWASP Top 10 for many years, and AI coding tools essentially dispense third-party code on tap. We know that this will increase productivity and speed of feature delivery, but without oversight and critical thinking applied by a security-skilled developer with significant training in security best practices, so too will the speed and potency of potentially exploitable code increase. Put simply, for those who care about software security (and every software producer should), this is no shortcut, and we need to look at establishing a new, safe pair programming workflow where humans and AI tooling collaborate in a way that mitigates risk.
What steps do you believe organizations and development teams should take to adapt to the evolving role of developers and the integration of AI tools?
Developers will need to start assessing their current status in terms of skills and learning opportunities to understand what AI cannot do, or is weakened by. AI tools can write average code, but the technology has weaknesses in performance, security and privacy. Mastery of AI in secure software development, therefore, will be a valuable business asset, which should inspire “average” developers to upskill and take on more secure software architecture/design leadership, while bringing in AI tools to handle more mundane tasks. This will provide an invaluable impact to businesses looking to grow their productivity, their offerings and, equally important, their people.
Organizations should also begin implementing measurements of success for both developer skill credentials and AI assistants. Development teams go through the same secure code program – but that can represent a bell curve of experts, mean performers, and underperformers.
In your view, what are some essential security-based benchmarks that both AI assistants and developers should follow to maintain code integrity and mitigate potential vulnerabilities?
Security teams need to assess the effectiveness of their program and empower developer teams toward improvement. A strong security program has three major components:
- Visibility into its effectiveness
- Data-driven measurement to understand how organizations compare within their industry
- Flexibility to adjust goals based on the pace and skill level of the development team
These standards can provide the current state of an organization’s security learning program and enable teams to optimize their performance. At the individual level, this helps developers identify what’s going well, what needs improvement and essentially helps create a learning path forward for continued growth. This will prove especially helpful as the developer role continues to evolve.
With AI coding tools as they stand today, these can and should be assessed on their security impact, and effectiveness in balancing productivity and risk mitigation within the codebase. This can take the form of measuring their output directly, or in tandem with a human developer. Ultimately, any tools in use within the developer workflow should be monitored as part of the overall security program.