ChatGPT: friend or foe for app developers?

A digital face in profile against a digital background.
(Image credit: Shutterstock / Ryzhi)

Once considered a laborious, complex, and highly skill requisite task, the world of coding has changed a lot today. Where previously there was a time when everything had to be written from scratch, and coding libraries didn’t exist, the modern day developer has a world of technology at their disposal to make the process easier. For businesses, it means that their developer teams can churn out code faster than ever before, allowing them to better meet the growing demands of consumers for quicker and better applications.

The latest technological development that’s further expediting coding speeds is AI, and more specifically ChatGPT. ChatGPT puts even more power into the hands of developers, with it now possible to auto-generate code in an instant in whatever programming language needed, all by using simple prompts. Whilst the adoption of ChatGPT and other AI tools in the coding space is already well under way, it’s important to stop and take stock of the cybersecurity implications it may bring with it. It is vital that developers are educated about cybersecurity best practices when using these tools to ensure that the code it produces is secure. For all the responsibility that ChatGPT can take on, the ultimate responsibility for making sure code is safe will always lie with humans. For that reason, precaution around how developers are using this technology is essential.

John Walsh

Senior Product Marketing Manager for Developer Security at CyberArk.

AI: the next step in the coding evolution

One of the aspects I find most enjoyable about software development is its constant evolution. As a developer, you are always seeking ways to enhance efficiency and avoid duplicating code, following the principle of “don't repeat yourself.” Throughout history, humans have sought means to automate repetitive tasks. From a developer's perspective, eliminating repetitive coding allows us to construct superior and more intricate applications.

AI bots are not the first technology to assist us in this endeavor. Instead, they represent the next phase in the advancement of application development, building upon previous achievements.

How much should developers trust ChatGPT?

Prior to AI-powered tools, developers would search on platforms like Google and Stack Overflow for code solutions, comparing multiple answers to find the most suitable one. With ChatGPT, developers specify the programming language and required functionality, receiving what the AI tool deems the best answer. This saves time by reducing the amount of code developers need to write. By automating repetitive tasks, ChatGPT enables developers to focus on higher-level concepts, resulting in advanced applications and faster development cycles.

However, there are caveats to using AI tools. They provide a single answer with no validation from other sources, unlike what you would see in a collective software development community, so developers need to validate any AI solution. In addition, because the tool is in beta stage, the code served by ChatGPT should still be evaluated and cross-checked before being used in any application.

There are plenty of examples of breaches that started thanks to someone copying over code and not checking it thoroughly. Think back to the Heartbleed exploit, a security bug in a popular library that led to the exposure of hundreds of thousands of websites, servers and other devices which used the code.

Because the library was so widely used, the thought was, of course, someone had checked it for vulnerabilities. But instead, the vulnerability persisted for years, quietly used by attackers to exploit vulnerable systems.

This is the darker side to ChatGPT; attackers also have access to the tool. While OpenAI has built some safeguards to prevent it from answering questions regarding problematic subjects like code injection, the CyberArk Labs team has already uncovered some ways in which the tool could be used for malicious reasons. Breaches have occurred due to blindly incorporating code without thorough verification. Attackers can exploit ChatGPT, using its capabilities to create polymorphic malware or produce malicious code more rapidly. Even with safeguards, developers must exercise caution.

The buck always stops with humans

With these potential security risks in mind, there are some important best practices to follow when using code generated by AI tools like ChatGPT. This involves checking the solution generated by ChatGPT against another source, like a community you trust, or friends. You should then make sure the code follows best practices for granting access to databases and other critical resources, following the principle of least privilege, secrets management, auditing and authenticating access to sensitive resources.

Make sure you double-check the code for any potential vulnerabilities and be aware of what you’re putting into ChatGPT as well. There is a question of how secure the information you put into ChatGPT is, so be careful when using highly sensitive inputs. Ensure you’re not accidentally exposing any personal identifying information that could run afoul of compliance regulations.

No matter how developers use ChatGPT in their work, when it comes to the safety of the code being produced the responsibility will always lie with humans. They cannot place blind faith in a machine that is ultimately just as liable to making mistakes as they are. To prevent potential issues, developers need to work closely with security teams to analyse how they’re using ChatGPT, and ensure that they’re adopting identity security best practices. Only then will they be able to reap the benefits of AI without putting security at risk.

We've featured the best AI writer.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS

John Walsh is Senior Product Marketing Manager for Developer Security at CyberArk.