In recent news, ChatGPT reviews source code has garnered significant attention. The ongoing hype raises concerns about the potential impact of this AI service on job security.
Developers, in particular, feel threatened by this AI bot’s ability to write code on the fly. The general consensus is, however, that code-writing jobs for humans are safe for now.
Tech advisor Bernard Marr says that ChatGPT and natural language processing technology are unlikely to render developers, programmers, and software engineers unnecessary now and in the near future.
ChatGPT’s Impact on Open-Source Code Talent
Discussions about whether ChatGPT will require new skills for existing positions or new jobs with specialized experts are ongoing. While new and exciting, ChatGPT won’t immediately create new or different jobs. Like any new tool introduced to developers, it takes time for developers to become familiar with the technology and understand how to use it best.
ChatGPT is no different. For example, consider the previous push to use low-code/no-code technology. While this great technology is used to speed up the creation of apps and improve usability for non-developers, it has taken time for organizations to properly use low-code/no-code technology. A similar perspective and trajectory will extend to the use of ChatGPT for all software development, including open-source projects.
In the coming weeks and months, it will be essential to encourage the open-source community to embrace ChatGPT and explore its possibilities. Technology has already proven to be an effective educational tool. Consider asking ChatGPT for book recommendations about programming languages and coding; it delivers short descriptions for each book. Or, prompt it for the top takeaways from one specific book. By doing this, individuals can make learning so much easier. By learning from other developers and sharing resources, including results from ChatGPT, the community roots of open source will keep thriving.
ChatGPT's Limitations
For one, ChatGPT can only write relatively simple applications. Even if it has the skills to do more advanced coding with suitable instructions. It does not instantly provide non-developers a competitive edge over developers who understand coding and have experience in actually writing code.
Another crucial reason many developer jobs are safe is the need for secure coding. ChatGPT itself concedes that it cannot guarantee that the code it churns out is secure.
Asked if ChatGPT can ensure code security, here’s the bot’s brief response:
“No, ChatGPT does not ensure secure coding. ChatGPT is an AI language model that can assist in answering questions and generating text based on the input it receives. However, it does not have the capability to guarantee secure coding practices or conduct security assessments on code. It's important to follow established security guidelines and best practices when developing and deploying code.”
ChatGPT learns further as it is continuously updated. But its ability to incorporate secure coding practices may take some time to reach an acceptable level of maturity. Or it may never be able to perfect secure coding, given the evolving nature of the threat landscape.
What is Secure Coding?
Secure coding is a new paradigm in code development where the responsibility of ensuring code security shifts left or goes to the developer. Security is no longer a separate process but a part of the software development life cycle (SDLC). It may not be compulsory, but it is encouraged and preferred.
Organizations that embrace secure coding gain the advantage of being able to easily comply with industry standards.
Instead of going through another stage of code scanning and testing to ensure security, the software production process is significantly shortened because bugs and other flaws are addressed before the code is deployed.
It is easier to fix these problems if you can spot and resolve them during the code-writing process instead of dealing with them in a separate stage.
Secure coding may seem like an added burden for developers, but it is a change worth adopting, given its significant benefits. It enmeshes security with the SDLC to reduce the need for major security revisions. And it results in significantly better app security upon release.
Code reviews with AI for improving performance
Performance issues are challenging to debug since several factors could be the cause. Also, application performance optimizations usually require extensive reviews of the code and its hardware to debug properly.
Then throw in the distributed nature of software these days. Microservice architecture and serverless functions running on diverse cloud platforms turn applications into intricate beasts that require a bird's eye view to debug. The hardware hosting these discrete bits of code also plays a role in debugging performance.
Code reviews with AI would ideally incorporate data obtained from observability processes incorporated into these systems.
A well-known observability platform, New Relic, already uses applied intelligence a form of machine learning to reduce alert noise for customers. Amazon's AI code reviewer, CodeGuru, uses AI to analyze huge code bodies. Its sister product, CodeGuru Profiler, analyzes applications already in production. We couldn't find a specific mention on Amazon's help pages that CodeGuru profiler uses AI. But it did say that it makes "intelligent" decisions about an application's performance.
ChatGPT isn’t a very good software engineer.
The other element of security concern with ChatGPT is one discussed earlier when Co-Pilot was stealing all the jobs before ChatGPT. Diving into some research discovered the concept of AI biases, that is that we trust AI much more than we should. Like a friend that is very confident in their answers, so you assume they are right until you finally discover they are an idiot that likes to talk a lot (in walks ChatGPT).
ChatGPT often gives you example code that is completely unsecure and unlike forums like StackOverflow, there is no community to warn you against it. For example, when you ask it to write code to connect to AWS, it hard codes credentials instead of handling them in a secure way, like using environment variables.
The problem is that a lot of developers will trust the solution their confident AI friend gives them not understanding that it is unsecure or why it is unsecure.
The Irony of AI in Cybersecurity
Despite being tossed around as one of the most important technologies in cybersecurity, AI chatbots like ChatGPT do not actually exceed in cybersecurity.
They are effective tools in simplifying tasks in various cybersecurity processes such as the detection of threats, attacks, and anomalous behavior. But they cannot be left to their own devices to enforce effective cybersecurity.
Coding software is not as simple and straightforward as many tend to think it is in the context of the ChatGPT hype. This is not to say that AI tools like ChatGPT are not remarkable. But ChatGPT does not have the specialized knowledge and expertise to reliably address modern threats.
Wrapping Up
Leveraging AI-powered secure coding tools like ChatGPT reviews source code can assist developers in identifying and addressing potential security flaws. However, the effectiveness of the code still relies on the developer's intentions and comprehension.
Novice coders with limited knowledge of coding and cybersecurity must enhance their understanding to fully utilize AI coding and AI secure coding solutions.
Final Thoughts
To ensure secure source coding practices, Offensive360 can take the following steps:
Emphasize Training and Awareness: Provide regular training sessions and awareness programs to developers and software engineers about the importance of secure coding practices. Educate them about potential risks, common vulnerabilities, and best practices to mitigate security threats.
Implement ChatGPT reviews source code and Testing: Introduce a robust code review process, where experienced developers examine the code for security vulnerabilities. Additionally, conduct thorough security testing, including penetration testing, to identify and fix potential weaknesses.
Integrate Static Analysis Tools: Utilize static code analysis tools that can scan code for security issues automatically. These tools can help identify potential vulnerabilities early in the development process.
Adopt Secure Development Frameworks: Encourage the use of secure development frameworks that are designed to address security concerns effectively. These frameworks often include built-in security features and functions.
Encourage Collaboration with Cybersecurity Experts: Foster collaboration between developers and cybersecurity experts within the organization. Cybersecurity experts can provide valuable insights and guidance on secure coding practices.
Conduct Regular Security Audits: Perform regular security audits on codebases to ensure that the security measures are up to date and effectively implemented.
Monitor and Enforce Compliance: Regularly monitor adherence to secure coding practices and enforce compliance when necessary. Provide positive reinforcement for developers who consistently follow secure coding guidelines.
By adopting these measures, Offensive360 can significantly enhance its secure coding practices and mitigate potential security risks. Even when using AI-powered tools like ChatGPT in its development processes. Secure coding is a collective effort that requires ongoing dedication and a proactive approach to address the evolving threat landscape effectively.