How AI influences DevSecOps?

DevSecOps professionals have Artificial Intelligence (AI), security and automation as top priorities in most organizations. Both resources and data are veritable assets for guarding actions by actors and the degree to which an organization is invested in either determine the fine-tuning of the allocations within the pie-chart of priorities for these professionals. Most would use Agile methodologies to improve and secure their assets. AI would follow that in the list as it is still catching up on Software Development Lifecycle. Organizations realize that it is essential to adopt AI to avoid falling behind. The key challenges they face are security, safety, and experience. Others include privacy and data security, the right set of AI tools, upskilling requirements, and concerns about vulnerabilities. Although these challenges are not new, what makes it difficult for DevSecOps professionals, as cited in industry reports from reputed sources, is the low turnover in their population combined with a tendency to ramp up gradually. As such this discipline has room for improvement when compared to software development in customer-facing products.

DevSecOps are eager to adopt the Generative AI for its transformative potential. Many cite use cases in forecasting productivity metrics, identifying anomalies, vulnerabilities explanations and remediations, and chatbots for interactions. Machine data including telemetry unlike sensitive data like Personally identifiable information, are both voluminous and difficult to search without friendly operators and curated queries. As products, solutions and services for this data make AI more built-in to their offerings, the integration becomes even more complex than it was earlier, not to mention the eccentricities, nuances, and defects to overcome. Consequently, some in-house solutions to directly explore the data and respond to typical queries for preliminary investigation report comes in handy.

Most of the code for automation comes from open-source software libraries. Capabilities like a software bill-of-materials aka SBOM – a list of all the components, libraries and modules that make up an application are essential for maintaining the security of the software supply chain, especially as the amount of code pulled from open-source libraries increases. Unfortunately, SBOMs aren’t maintained as code sprawls the landscape. When it comes to hosting and executing logic in containers for scaling on demand, many fail to guard against their programmability interfaces such as web APIs by mitigating OWASP threats with request-parameter inspections and web-application firewalls. Dynamic application security testing, and fault injections-based testing are also insufficient. There has always been a cultural gap around security with DevSecOps professional often depending on development teams to resolve vulnerabilities defects. Many don’t even have the proper role-based access control.

A further list of AI safety and security practices is also available which puts the efforts required from DevSecOps professionals in perspective.

Reference: previous articles