Can AI be used to ultimately secure software and data supply chains?

Threats in the open source software (OSS) supply chain are wreaking havoc on the global cybersecurity landscape. Threats and attacks such as SolarWinds, 3CX, Log4Shell, and now XZ highlight the potentially devastating impact of these security breaches. The PwC report shows that this is being felt locally in Australia.

The ubiquity of open source software is a leading cause of supply chain attacks, and open source libraries and languages ​​underpin over 90% of the world’s software. Attacks on the open source supply chain are expected to accelerate, with attackers automating attacks on common open source software projects and package managers. Many CISO and DevSecOps teams are unprepared to implement controls into existing build systems to mitigate these risks. In the coming year, DevSecOps teams will move away from shift-left security models to shift-down security models by leveraging AI to automate security outside of developer workflows.

Here, I’ll discuss how AI can help developers work more efficiently while creating more secure code.

The importance of management in the data supply chain

Security professionals need to consider how vulnerabilities extend into their data supply chains. While organizations typically integrate externally developed software through their software supply chains, their data supply chains often need clearer mechanisms for understanding and contextualizing data. Unlike structured systems or software functions, data is unstructured or semi-structured and is subject to a wide range of regulatory standards.

Many companies build AI or machine learning (ML) systems based on huge data sets from heterogeneous sources. ML models in model zoos are published with minimal understanding of the code and content used to create them. Software engineers must handle these models and data as carefully as they do with the code they put into their software, paying attention to their origins.

DevSecOps teams need to evaluate data usage responsibilities, especially when building large language models (LLM) to train AI tools. This requires careful management of data in models to prevent sensitive data from being accidentally passed on to third parties such as OpenAI.

Organizations should adopt strict policies defining the permitted use of AI-generated code. When incorporating third-party AI platforms, thorough due diligence should be performed to ensure their data is not used to train and fine-tune AI/ML models.

Artificial intelligence controls the transition from “shift-left” to “shift-down”

The concept of swipe left gained popularity a decade ago as a way to address security vulnerabilities early in the software lifecycle and streamline developer workflows. While systems defenders have long been at a disadvantage, AI now has the potential to level the playing field. As DevSecOps teams navigate the complexities of data management, they must also assess the impact of the evolving shift-left paradigm on their organizations’ security posture.

Companies will begin to move beyond swipe left and use AI to fully automate security processes and remove them from developer workflows. This is called “shifting down” because it moves security to lower-level automated functions in the technology stack, rather than burdening developers with complex and often difficult decisions.

GitLab’s global DevSecOps: The State of Artificial Intelligence in Software Development report found that developers spend only 25% of their time generating code. AI can increase productivity by optimizing the remaining 75% of the workload. This is one way to leverage AI’s ability to solve specific technical problems and improve efficiency and productivity throughout the software lifecycle.

As we look back on the past year, I expect we will reflect on how growing threats to OSS ecosystems have adversely impacted global software supply chains. The impact of this will catalyze significant changes in cybersecurity strategies, including increased reliance on artificial intelligence to protect digital infrastructure. The cybersecurity landscape is already changing, with increasing emphasis on mitigating supply chain vulnerabilities, enforcing data governance and incorporating artificial intelligence into security measures. This transformation promises to move DevSecOps teams toward software development processes that put performance and security at the forefront.