Is AI is going to replace software engineers?

The prevalence of AI and ease of integration of large language models (LLM) might lead us to believe the days of software engineers are numbered. This is a hotly debated topic over the last year as you can see from the numerous Blind posts from the software engineering community.

• ChatGPT taking over jobs

• Face it the golden age is over

• I’m SO scared I could collapse

Although I rarely take anything posted on Blind as gospel, there is some truth in the power of ChatGPT and AI in general to automate certain tasks in a developers toolchain. The area I find most interesting and less talked about is how AI will fare ensuring the security of the software development supply chain. Based on my experience and the nuances in the supply chain model, I still think we’re several years away from AI being able to pull this critical process out of the hands of a developer. This post will cover importance of supply chain security, challenges to AI, and best practices you can employ today.

What is the software supply chain?

The software supply chain has become the backbone of modern businesses building online applications. Software is everywhere, from the apps on our smartphones to the complex systems that power financial institutions and healthcare providers. As the reliance on software grows, so does the importance of ensuring its security, from whiteboard to app deployment. This often includes the base operating systems, code, dependencies and packages, build artifacts, tests, and 3rd party software. Today, nearly 85% of this interweaved chain is built using open source software.

The importance of securing the supply chain

Imagine your software supply chain as a complex web of components and dependencies, each potentially susceptible to vulnerabilities or malicious actors. The recent surge in high-profile cyberattacks has highlighted the importance of securing this digital pipeline. A breach at any point in the software supply chain can lead to data breaches, service disruptions, and significant financial losses.

The fallout can damage an organization's reputation and erode customer trust. As such, investing in software supply chain security is not only a matter of compliance but also a critical step in safeguarding your business's integrity.

Challenges for AI

1. Managing Dependencies - Modern software relies on numerous open-source and third-party dependencies or packages. If you’ve used ChatGPT before you know the results aren’t always factual or even remotely correct given the context of your query. So, how can we expect AI to decide which dependencies are appropriate given the risk of vulnerabilities or even go back to remediate the code once a zero-day exploit is discovered? Additionally, given the breadth and increased usage of open source packages and developers ‘scraping’ from StackOverflow, AI seems too much in its infancy to ensure the proper licensing without some sort of human review.

2. Limited Visibility - There aren’t many tools or open source projects available that provide end to end observability of the software supply chain. This makes it difficult to assess and mitigate risks effectively. AI could provide automation and improvements here by stitching together the various disparate tools to show a more comprehensive picture of the supply chain. However, given the context needed to adequately assess business risk might prove challenging to an AI bot.

3. Vendor Risks - Remember the 2020 SolarWinds Orion attack? In one of the most prolific supply chain attacks to date, nearly 30,000 public and private organizations had their data compromised and networks breached. That number is likely larger as the customers and partners of the directly affected SolarWinds customer were also potentially accessible! This highlights again the limitations of AI as it would not know the nature of the severity or impact of the upstream vendor on its systems. There were many dependent factors to determine if the Orion product was configured in a way which would breach the customer’s network. It takes a human to work directly with the security teams of their vendors to determine the impact of a 3rd party breach. AI could assist the investigation through log collection, security events, and detecting anomalous behavior.

Best practices for software supply chain security

1. Inventory and Dependency Management: Start by identifying all software components and dependencies. Start with a spreadsheet, query your cloud provider API’s to build an inventory, or if you are using GitHub, check out their dependency graph and Dependabot to integrate with your CI/CD pipelines.

2. Risk Assessment: Conduct regular risk assessments to understand potential vulnerabilities and prioritize them. This often will include integration with your vulnerability management program and regular assessments/penetration tests.

3. Code Scanning and Testing: Implement automated code scanning and testing to identify and resolve security issues during the development process. There are many tools which provide static and dynamic application security testing (SAST/DAST) directly within your source code repository. They may already be included and you don’t even realize it! Check out ChainGuard to see if you can replace your base images with a more secure open-source version.

4. Secure Development Practices: Train your development teams in secure coding practices to reduce the introduction of vulnerabilities. Brown bag lunch and learns are a great way to start this as you likely have some expertise within your existing staff. You can also engage training companies or use cloud provider credits to reduce the cost of the instruction.

5. Supplier and Vendor Management: Set clear security requirements for third-party suppliers and vendors. Regularly assess their security practices and tune into vulnerability feeds especially if they involve a vendor in your environment. NIST offers a flexible way to track and integrate feeds into your workflow.

6. Continuous Monitoring: Employ continuous monitoring to detect and respond to threats in real-time, reducing the time between detection and mitigation. Security information and event management (SIEM) tools like Azure Sentinel, multiple AWS tools like AWS GuardDuty/Security Hub, or a 3rd party like Splunk can consolidate security telemetry to help monitor for markers used in known supply chain compromises.

7. Incident Response Plan: It’s not a matter of ‘if’ but ‘when’. We’ve all heard that phrase, so ensure you have a robust incident response plan in place to react quickly in case of a security breach. This should be regularly rehearsed in table-top exercises to build the muscle and playbooks necessary to respond when a breach occurs.