Real talk on navigating code security in the age of AI

[jkcso]

Discussion Lounge Abstract

While AI pair programmers like GitHub Copilot make the process of building software both easier and faster, a question remains: what about security? Join GitHub's Joseph Katsioloudes, senior developer advocate, and Kasia Sitkiewicz, staff product manager, in the Discussions Lounge to explore the opportunities this new era of AI provides us and how we can minimize the gap in software security. This is vital given that there's only one application security specialist for every hundred software developers. Before AI, our goal was to shift security left, but now we can start from the left, drastically improving security.

Let's keep the conversation going!

Did you attend the session? Did you enjoy it? Do you have insights and key points to contribute? Feel free to write them below!

[thehale]

Here are my notes from the discussion today...

Real Talk on navigating code security in the age of AI

1 Application Security Specialist : 100 Software Developers

Round 1 - AI Adoption and Security Policies

Companies move fast in fast growing industries. How to protect customers/company in those fast growing industries.

• Friction is how to find companies where you could run your own tenant/strong data guarantees

Concerns about indexed code becoming part of the provider's offering.

• Arguably a comparable concern to using a shared hosting provider.

Lots of interest in running models locally, self-hosted.

GitHub Advanced Security + Autofix + Campaigns makes it really easy for one person to handle a huge backlog of issues.

Developers are in two camps: skeptics and those that are starting to explore.

Round 2 - Best Practices + Lessons Learned

Tackle issues by category to reduce context switching.

Using tools that are accessible to people who aren't professional engineers (e.g. focus on education)

Use scorecards as starting checklists.

Note, dependabot only scans the default branch. So branch releases don't get reviews/scans

Apple is doing tons of chain of custody tracking on their server hardware (picture at fab, GPS during shipping, verification at installation).

Detecting issues/attacks as they occur

• Feed all logs into one place. Becomes a big data problem to search for anomalies

Round 3 - Future Proofing

Current devs have way more security information than before. They still ignore. AI/Autofix just increases the amount of information.

• If the fix is shown more contextual (e.g. letting security teams + AI add extra rationale), it adds a human element.
• Creating custom GitHub apps/tooling to alert security teams so they can provide that personal education.

How to scale?

• Increase the efficiency of AI models. Enable training smaller models that can run locally.
• AI Memory is limited. Doesn't understand huge projects/remember long term.

Gandolf.AI (learning prompt injection)