Secure software depends on clean code -- AI-generated or not
Software is immensely pervasive and foundational to innovation and market leadership. You’ve likely heard the popular phrase coined by McKinsey that "all companies are software companies." It’s true that businesses are competing and winning in their markets based on their ability to digitize and innovate. Almost every major enterprise, no matter its industry, relies heavily on software to deliver services, manage operations internally or promote itself.
Software starts with code, which means that secure or insecure code starts in development. As long as we continue to view security as a bolt-on or an after-the-fact fix, we’ll continue to widen the chasm between the pace of digital innovation and security’s ability to keep up. With AI-generated code increasing the volume and speed of software production without an eye toward code quality, this problem will only worsen. The world needs Clean Code. Without it, the performance of software will suffer, negatively impacting the business.
Secure Software’s Much Needed Mindset Shift Begins with Code in Development
Organizations should be looking critically at how their code is developed. Only when code is clean, which by definition means that it is consistent, intentional, adaptable, and responsible, can the security, reliability, and maintainability of software be ensured.
Yes, there has been increased attention to secure software and impressive developments in this arena. But still, these efforts are being done after the fact, i.e. after the code is produced. Failing to build security in as part of the coding phase will not produce the radical change that our industry needs. It’s time for organizations to help the engineering team do a better job delivering code and help them invest the time they spend actually writing new code, innovating and supporting the business.
Bad Code is the Biggest Business Liability that Organizations Face
Whether businesses know it or not, and chances are they don't, technical debt is mounting due to code quality issues. Any organization that’s large enough to have 200–300 developers will likely have a tremendous amount of technical debt resulting from flawed legacy code. Developers are stuck having to waste time on remediation while applications are largely insecure and unreliable, making them a liability to the business.
AI both helps and hurts the situation. On the plus side, It enables developers to work more efficiently, gives them more bandwidth to tackle more complex tasks, and can shift most of their focus to projects they’re excited about. Plus, leveraging AI to help improve productivity will likely have a ripple effect to positively impact the work atmosphere and curb burnout.
However, there is a tradeoff. While code generated by LLMs helps developers get started quickly and enables companies to build applications faster, it does come with significant risks. LLMs can sometimes generate information that is factually incorrect, misleading, or even fictional. This phenomenon is known as "hallucination." LLMs are trained on vast datasets that can quickly become outdated. As a result, they may not have access to the most current information or may perpetuate outdated information. It's important to make sure that the code snippet proposed by an AI tool is secure and that it is clean in the context of the entire codebase.
While senior developers know how to refactor and adjust the code snippets Generative AI tools output, junior developers don’t have the same skills and years of experience. Greener developers are more likely to blindly trust the code as is and push it through production, leading to more tech debt, security problems, and application crashes. The impact this can have on society is enormous -- the cars we drive, the equipment health workers use, how pilots fly planes, and banking systems.
Clean as You Code, Alleviate the Burden of Tech Debt
As organizations increasingly rely on AI for code creation, it becomes imperative to proactively scrutinize generated code and preempt post-production issues. I urge organizations to take the time to understand and adopt a ‘Clean as You Code’ approach. It’s the only way to keep up with increasing development speeds. In turn, this will stop the technical debt leak, but also remediate existing debt whenever changing code, drastically reducing the security risks within software, which is absolutely necessary for businesses to compete and win -- especially in the age of AI.
Peter McKee is Head of Developer Relations, Sonar.