AI-assisted development: how to build and ship with confidence
0 likes186 views
The document discusses the impact of AI-assisted development tools, particularly GitHub Copilot, on the software development lifecycle and security practices. It emphasizes the importance of integrating AI tools while maintaining secure coding practices and highlights the benefits of AI in enhancing productivity and facilitating tasks like code suggestions and vulnerability detection. Key points include the need for developers to verify AI-generated code and the collaborative role of security across all stages of development.
AI-assisted development: how to build and ship with confidence
- 1. AI-assisted development: how to build and ship with confidence Maxim Salnikov
- 2. Maxim Salnikov • Building on web platform since 90s • Organizing developer communities and technical conferences • Speaking, training, blogging: Webdev, Cloud, AI-assisted development Help developers to succeed with the productivity tools at Microsoft
- 3. Focus on what matters most Less time on AI tools impact on developer experience Writing Tests, Repetitive Code, & Boilerplate Searching Documentation Manually Finding Vulnerabilities Deciphering Existing Code Summarizing Changes and Comments Correcting Syntax Learning Git Commands Collaborating Designing Brainstorming Iterating Planning Debugging
- 4. https://github.blog/news-insights/research/survey-reveals-ais-impact-on-the-developer-experience/ • 1:100 security team members to developers • Shifting the burden of security practices to developers • 45% of developers think teams will benefit from using AI to facilitate security reviews
- 5. AI-assisted coding LLM trained on large amounts of code IDE with file(s) open for editing Prompt + local context Code suggestion
- 6. Potential threats • Outdated and/or flawed patterns • Reinforcing bad practices • Skipping detailed reviews • Overlooking security
- 7. GitHub Copilot Workspace (Sign up for the Tech Preview) • Refactoring code • Explaining code • Writing documentation • Code suggestions • Converting comments to code • Autofill for repetitive code • Showing alternatives 1 Planning 2 Analysis 3 Design 4 Implementation 5 Testing & Integration 6 Maintenance GitHub Copilot in the Software Development Lifecycle • Writing tests • Fixing code errors • Summarizing pull requests • Guiding on configuring local environment https://en.wikipedia.org/wiki/Systems_development_life_cycle
- 8. Disclaimer / CTA • Security is everyone's responsibility – “Shift left”! • Teams must employ safeguards at multiple stages of the SDLC – Do not rely on a single stage/product • AI assistants may sometimes suggest insecure code – Trust but verify • AI assistants leverage a variety of security measures – Know your tool! YOU are the Pilot
- 9. GitHub Copilot is aiding secure development • In scope of ISO 27001 certificate • Encryption in transit and at rest • Removing sensitive information • Vulnerability prevention system • Powers multiple stages of the SDLC
- 10. AI-based vulnerability prevention system • Hardcoded credentials • SQL injections • Path injections
- 11. Demo recordings are available on YouTube
- 12. GitHub Advanced Security • Secret scanning * – AI- powered • Dependency review * – Dependabot • Code scanning * – SAST with CodeQL • Found means fixed – Autofix * Free for public repositories on GitHub
- 13. CodeQL treats code like data 1. Generate a CodeQL database from your code 2. Write & run CodeQL queries to identify problems 3. Integrate with your development pipeline https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql
- 14. Copilot API https://github.blog/engineering/fixing-security-vulnerabilities-with-ai/ Code scanning + Autofix flow
- 15. Pre- and post- processing • Selecting code to show the model • Adding dependencies • Specifying a format for code edits • Overcoming model errors
- 16. LLM Prompt contains • General information about this type of vulnerability • The source-code location and content of the alert message • Relevant code snippets from the locations all along the flow path and any code locations referenced in the alert message • Specification of the response
- 17. • 90% of vulnerability types detected (JS, TS, Java, Python) • 2/3 of the Autofix suggestions can be merged with little to no edits • Natural language description of the vulnerability and its fix • Full flow directly in the workspace Results
- 18. GitHub Copilot Trust Center https://resources.github.com/copilot-trust-center/ • Security • Privacy • IP and Open Source • Labor Market
- 19. Maxim Salnikov CONNECT AND ASK