This session, led by Varun Manoj from Snyk, explores the balance between efficiency and security in the use of AI-generated code. It highlights the benefits and risks associated with generative AI tools in software development, providing actionable insights and best practices for mitigating vulnerabilities.
Speakers
Varun Manoj
Snyk
Senior Solution Engineer
Transcript
Hey, everybody. It's been a lovely conference. The session that I'm doing today is called Breaking AI. There will be a demo, I'm going to try my best to show you how AI works in software development and what are some of the things we should keep in mind when using AI, essentially. But yeah, a bit about me. So, I've been at Snyk for nearly five years. I'm a solutions engineer. So, essentially, if you come to talk to Snyk, I'll be giving you a demo. And at the end of the day, if you want to try it, then I'll help you, kind of POC Snyk. Snyk's all about DevSecOps. So, adding security into development processes. As you see there, it's in brackets. Because to be honest, DevOps done right has security as part of the process. But we've had this shift of injecting security. And now we've also got this added world of AI. This is what we're going to cover today, right? How to AI in development? What are the common use cases? And then, we're actually going to try to use AI to build an app with Copilot today, right? And we'll see how that goes. And then, finally, learnings and takeaways. There's been a lot said about AI in this conference, right? There's a lot of people talking about AI. I won't rehash old ground, but this is quite a good graphic, I think, just to show how popular it is and how much is being adopted. So, Google Translate took 78 months to reach 100 million users. ChatGPT took two months. It's just absolutely insane. So, it's coming whether you like it or not, AI has been used. And I think there's a reason why it's quite popular in development, AI. Because your average developer, at the end of the day, what do they get paid for? They get paid to ship a product. That's their main KPI. So, that's what they're paid to do. That's why they come to work. That's what they do. And AI makes that easier. So, AI is adopted by developers in various ways. And these are common activities that you do when you do software development. You maybe start with comments, you can summarise code, refactor code. And the last two, pair programming and generating code, they say AI or Copilot is the new Stack Overflow, right? So, you can ask questions, get answers relevant to the code base that you're working on. And that's really how it's been adopted, right? So, I think most developers these days use AI, right? And they say that they take less and less time to finish their tasks when they use AI. But again, being from Snyk, we also see the other side effects of this or some of the consequences of this. Because when you're generating code, you have to look at the validation of, like, does this introduce vulnerabilities, et cetera. So, Copilot does generate code without maybe that security lens. And it's up to the developer or to the organisation to validate and make sure that code is actually secure, right? A little example, artificial imagination, right? Maybe you've seen this one before, I think it's a slightly old example, but if you ask ChatGPT that question, I'll leave it to the audience on the quick maths on that, but like five times nine plus four times three, does anybody know? ChatGPT says 51. And even when you press ChatGPT to say, is that right? It's pretty confident. It says, 'Yeah, no, that's right. That makes sense.' But then, when you actually ask it a question, direct 45 plus 12, oh, you sure about that, ChatGPT? And then, it apologises. So, quite confident. Then, you press it, give some other evidence, and say, 'Oh actually, maybe.' But that's the fallacy on my part, because at the end of the day, AI doesn't have a comprehension of mathematical concepts. An AI model is trained on a data set. And then, it's finding statistical probabilities of what should come next from your question, right? So, there's no inherent understanding from an AI model about the nuances of mathematical concepts like this. So, you might need to validate the output you get from an AI model. And also, maybe, you know how you can use Copilot to generate vulnerable code, maybe how you can use different development practices to check your code, validate your code, and then ask the right things from Copilot, and it will give you the right kind of feedback. So, yeah, I think I will end with the takeaways, so the shit, shit, learnings and takeaways. So, there's probably a couple things to do before you start using generative AI tools inside your company or inside your organisation. The main thing, I think, is understanding that you might need to come up with standard operating procedures for using generative AI. If you're going to use Gen AI tools, you should know the risks involved with using these tools. For example, validation, making sure that you're not adding company data into a model which might be used and be outputted somewhere else, right? And then, making sure that it's embedded into processes to actually validate the output of these models. So, the common saying is trust but verify. With AI, you should definitely not trust to start with, right? Because at the end of the day, it's not, it's going to give you exactly what you asked for and not really looking at the wider implications of it. And then, a little plug to say, yeah, it's a good idea to maybe start testing while you're coding as well. So, yeah, as I mentioned, I'm from Snyk, and we do have some white papers that can help you understand how to use AI in an organisation. And one thing I will also say is, that Snyk Learn stuff I showed you, we actually have a set of lessons that talk about the OWASP Top 10 when it comes to LLMs and Gen AI, which are really good lessons. And these are free, so you can actually access this content right after this session. And they are a very practical type of sessions that you can send to a developer or send to people using Gen AI. So, yeah, something to look into as well. Hope that was fun. Thank you.
- Security
- AI
- Conference talks
Related videos