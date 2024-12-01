Is your organization self-aware or self-sabotaging?

One thing this year’s “Global State of DevSecOps” report makes clear is that organizations that embrace AI-enabled development are approaching this challenge with varying levels of caution. The key factor is the level of confidence each organization has in its own security protocols. The report shows a spectrum of responses to AI-generated code use; some organizations are proceeding with cautious confidence, while others appear to be taking serious risks with their development security.

It's no surprise that of the 27% of organizations that allow free AI use across their organization, 81% report having high and moderate confidence in AI. These organizations are ready to go and they’re confident that they have the controls in place to mitigate risk. However, it is a bit of a surprise that the 43% of respondents who are taking a more phased approach to AI-enabled development, also reported having moderate confidence in their ability to secure AI-generated code even while allowing only select development teams to use it in their work.

Meanwhile, 21% of surveyed organizations report lower overall confidence in their ability to secure AI-generated code—while recognizing that development teams are establishing unauthorized secondary AI workflows that circumvent security. And there are 5% of respondents that disallow the use of AI in development and are sure their developers are not using it. We can only speculate whether this confidence about managing AI risk stems from this disallowance, or because they’re getting controls in place before they open the gates.

However, each of these cohorts also includes respondents that admit to being only slightly, or not at all, confident in their ability to secure AI tools and their output within the context of their development pipelines. The least-concerning subset of this group are those that do not permit AI use at all, either because of a lack of confidence in preparation or because its use is not a priority for them. The risk for an organization in this group is when AI-generated code and risk mitigation controls are not a priority despite knowing that it’s already being used in development. While this may feel like controlled use, it is still critical to evaluate risk visibility and establish automated security gates.

The group most at risk, however, are those respondents that reported allowing AI use during development despite also reporting a clear lack of confidence in their preparations to mitigate risks.

While the risks posed by AI development are similar to those posed by traditional application development (e.g., weak source code, vulnerable open source), they manifest at an even faster velocity. Last year, 38% of the organizations that responded to this DevSecOps survey tested their business-critical apps less than weekly. And only 36% of them involved cross-functional teams in AppSec testing. In addition only 5% of respondents reported being able to resolve critical issues within a week. This is not a security posture that is going to work as AI development tools become more widely used.