JFrog today added an ability to detect code generated by artificial intelligence (AI) coding tools in source, in addition to providing a tool that enables policies to be applied to govern how AI models and application programming interfaces (APIs) are invoked.
The AI-Generated Code Detection tool identifies snippets of AI code that might represent a high risk to the software supply chain to enable application developers to make more informed decisions about how much to rely on AI coding tools. It also provides an audit trail that enables organizations to better track compliance with licensing requirements.
The Shadow AI Detection capability, meanwhile, automatically detects usage of AI models and associated API in a way that creates an inventory that DevOps teams can then govern using the JFrog Software Supply Chain Platform.
Yuval Fernbach, vice president and CTO of MLOps at JFrog, said collectively these additions to the platform will provide DevSecOps teams with more granular control over how AI coding tools are actually employed. That’s critical as it becomes apparent the AI coding tools are dependent on large language models (LLMs) that have been trained using examples of code that is often fundamentally flawed, he added.
The challenge is that AI-generated code snippets are not easily identified by legacy software composition analysis (SCA) tools, which then creates a level of risk that application development teams are unaware exists, noted Fernbach.
As the pace of application development continues to accelerate, the amount of risk organizations building and deploying software is only going to increase, he added. One way to mitigate those risks is to ensure that application development teams are only invoking approved AI models, said Fernbach.
It’s only a matter of time before the vulnerabilities generated by AI coding tools are routinely exploited. In fact, adoption of AI coding tools will ultimately require organizations to make sure best DevSecOps practices are being more consistently employed.
Hopefully, there will come a day when AI improves application security, but in the meantime, the overall quality of applications being built may get worse before eventually getting better. In fact, a recent JFrog survey suggests organizations are still far too lax when it comes to applying DevSecOps practices. A full 71% of respondents work for organizations that, despite any potential vulnerabilities, still allow developers to download packages directly from the internet, despite well-documented risks.
Less than half of respondents (43%) said their organization is scanning at the source code and binary level, with 40% admitting they lack full visibility into the provenance of software running in production environments. In the absence of that visibility, it’s all but impossible to ensure application security
AI coding tools, of course, might one day provide a long-overdue impetus for organizations to finally secure their software supply chains. In the meantime, organizations might want to prepare for application security breaches that are about to inevitably increase as adversaries make greater use of AI to discover, ironically, the vulnerabilities created by AI coding tools.
