Do we need an SCA equivalent for GenAI code?

KT B.

- Securing the art of the possible | MEng, DPhil, PGDip

Published Jun 18, 2024

Mitigating the Security Risks of AI-Generated Code

As the adoption of generative AI accelerates, software developers are increasingly leveraging AI-generated code to streamline their workflows. However, this emerging practice introduces unique security considerations that organisations must address proactively. Existing application security tools are ill-equipped to handle the complexities posed by AI code, necessitating the development of specialised solutions akin to the early days of open-source software composition analysis (SCA) tools.

Lessons from the Open-Source Era

The rise of AI-generated code bears striking resemblance to the emergence of open-source software decades ago. Initially, enterprises were hesitant to embrace open-source code due to liability concerns. However, as open-source proliferated, it became an integral part of modern software, constituting 70-90% of its composition by lines of code (not necessarily reachable code which is often more like 10%). Similarly, while some organisations are currently avoiding AI-generated code, this stance may become untenable as the technology gains widespread adoption and competitors leverage its advantages.

Just as SCA tools were developed to monitor and secure open-source components, a new market dedicated to securing AI-generated code is likely to emerge. This specialised tooling will be crucial in addressing the unique vulnerabilities introduced by AI code, which is often trained on less secure open-source repositories, leading to a "bad code in, bad code out" scenario.

The Path Forward

As AI-generated code becomes more prevalent, organisations must recognise and address its challenges. The application security industry must take proactive steps to develop solutions that can monitor and secure AI code within modern software. This may include the introduction of AI Bills of Materials (AI BOMs) to track the provenance and potential vulnerabilities of AI-generated components.

The open-source evolution provides a blueprint for software providers to adopt new technologies and practices that ensure the secure and risk-mitigated adoption of AI-generated code. By learning from the past and proactively addressing emerging security challenges, organisations can harness the power of AI while mitigating its associated risks.

Useful Links

To view or add a comment, sign in

More articles by KT B.

Test-Driven Development and AI Pair Programming: A Natural Fit

Feb 26, 2025

Test-Driven Development and AI Pair Programming: A Natural Fit

In the offices, workshops and coffee shops where applications take shape, a quiet revolution is occurring. Artificial…
Identity is the New Perimeter: Keeping Organisations Secure in Hybrid and Remote Work

Feb 24, 2025

Identity is the New Perimeter: Keeping Organisations Secure in Hybrid and Remote Work

Working from home or splitting time between home and the office has become the new normal for many; this big shift has…
IAM, IGM, PAM: Untangling the Security Alphabet Soup!

Feb 16, 2025

IAM, IGM, PAM: Untangling the Security Alphabet Soup!

Ever felt like the world of cybersecurity is just a jumble of acronyms? IAM, IGM, PAM..
The EU AI Act: What Does the Ban on "Risky AI" Mean?

Feb 3, 2025

The EU AI Act: What Does the Ban on "Risky AI" Mean?

Artificial intelligence is transforming the way we live and work, but not all AI systems are created equal. While many…
The Evolution of Identity Management: Why Your Organisation's Security Depends On It

Feb 2, 2025

The Evolution of Identity Management: Why Your Organisation's Security Depends On It

In an era where digital transformation is no longer optional, organisations face an unprecedented challenge: managing…
Securing the Rise of the Machines: Authentication and Authorisation for AI Agents

Jan 2, 2025

Securing the Rise of the Machines: Authentication and Authorisation for AI Agents

AI is rapidly transforming our world, and with it comes the rise of AI agents – autonomous entities capable of making…
2025: A Year of Data Focus?

Dec 20, 2024

2025: A Year of Data Focus?

The convergence of Cloud Computing, Artificial Intelligence, and the Internet of Things is transforming the way we live…
The Future of Security Testing: Can AI Solve the Inadequacies of SAST and DAST?

Sep 28, 2024

The Future of Security Testing: Can AI Solve the Inadequacies of SAST and DAST?

As software becomes more complex and the threat landscape evolves, the need for robust application security has never…
10 Challenges for SASE in Banking

Sep 14, 2024

10 Challenges for SASE in Banking

In today's rapidly evolving digital landscape, organisations are grappling with the challenges of securing their…
The Perils of Over-Reliance on Generative AI in Cybersecurity: Risks and Mitigations

Sep 10, 2024

The Perils of Over-Reliance on Generative AI in Cybersecurity: Risks and Mitigations

In the ever-evolving landscape of cybersecurity, generative AI has emerged as a powerful tool. However, as with any…

See all articles

Mitigating the Security Risks of AI-Generated Code

Lessons from the Open-Source Era

The Path Forward

Useful Links

More articles by KT B.

Test-Driven Development and AI Pair Programming: A Natural Fit

Identity is the New Perimeter: Keeping Organisations Secure in Hybrid and Remote Work

IAM, IGM, PAM: Untangling the Security Alphabet Soup!

The EU AI Act: What Does the Ban on "Risky AI" Mean?

The Evolution of Identity Management: Why Your Organisation's Security Depends On It

Securing the Rise of the Machines: Authentication and Authorisation for AI Agents

2025: A Year of Data Focus?

The Future of Security Testing: Can AI Solve the Inadequacies of SAST and DAST?

10 Challenges for SASE in Banking

The Perils of Over-Reliance on Generative AI in Cybersecurity: Risks and Mitigations

Explore topics