Decoding AI-enabled dev: Top concerns, hidden benefits, and smart investment strategies

The top concerns with AI coding assistants: Security and IP

This year’s top concerns about AI-enabled development and pipelines highlight the scale of the challenge.

• Security vulnerabilities introduced by AI at speeds that exceed AppSec’s abilities
• Ensuring AI-generated code meets compliance and regulatory requirements
• Safeguarding sensitive data and intellectual property

These concerns are long-standing in DevSecOps: vulnerabilities, compliance, and IP protection. It stands to reason that AI-enabled development and generative AI coding assistants face the same issues, as these risk categories apply to modern software in general, with AI simply being the mechanism that creates the potentially afflicted code.

Interestingly, a significant portion of survey respondents expressed a complete lack of significant security concerns regarding AI coding assistants. Our data suggests this viewpoint often correlates with those who simply don't believe AI introduces new risks, outweighing even their confidence in security preparedness. This is a critical oversight that organizations cannot afford.

These benefits often directly empower developers, streamlining their daily work. While security teams benefit downstream from reduced backlogs, it's crucial for DevSecOps leaders to determine their primary focus: Are you building AI-enabled development pipelines or AI-enabled security workflows? The good news is that, with effective collaboration and deliberate integration, you can often optimize both.

However, a surprising disconnect emerged: Despite a prevalence of noisy AppSec testing (AST) results, we don't see a similar investment in reducing false positives or increasing testing tool accuracy. This could imply a focus on speed over precision, or a reliance on later-stage triage.

Key question: Does your investment strategy align with your actual pain points? If pipeline slowdowns are an issue, better integration and test/fix speed are logical investments. But if noisy results are eroding efficiency, are you truly addressing the root cause?

• Coverage vs. speed: Organizations with less AppSec testing coverage are focusing more on the speed of their tests and remediation. This could be a response to past compromises driven by tight software shipping deadlines, where faster tests become a mechanism to minimize compromises on coverage.

Key action: As you advocate for change, consider not just how to increase test coverage, but how to optimize tests for your pipeline as well. Ensure that your AST program supports development and release deadlines to reduce the likelihood of compromises or developers circumventing controls, which ultimately leads to decreased coverage.