Five questions to answer before adopting AI-generated code practices

People coding in a business environment.
(Image credit: Shutterstock / Gorodenkoff)

In the digital era, the ability to ship code faster than competitors creates an almost incalculable advantage. It allows businesses to introduce new and better features, be more responsive to customer needs and market trends, and reduces the resources needed for each project. It’s no wonder then that the prospect of generative AI coding assistants taking on significant amounts of the burden of coding is creating such excitement. When used effectively, these tools have the potential to halve the time needed for the average software development project.

However, if AI assistants are deployed without due diligence, they can create more work, not less, for overstretched development teams. Every line of code must be rigorously tested, secured, and remediated before it goes into production. A sudden and dramatic increase in the amount of code being created therefore places an unmanageable burden on developers, especially since research has found that around 40% of copilot-created code contains bugs. As a result, poor implementation of generative AI can end up actually increasing developers’ workload, leading to reduced productivity and burnout.

Martin Reynolds

Field CTO at Harness.

Check, test, verify

The problem for organizations looking to accelerate software development is that, even before factoring in the increased volume of code, developer toil in the downstream stages of delivery is already getting out of hand. More than two-fifths (42%) say that their processes for deploying code to production are neither fast nor efficient. A major reason for this is the time-consuming task of checking, testing, and verifying code, with two-thirds of developers (67%) saying such reviews take more than a week. On top of this, developers are constantly dealing with manual rollbacks of failed deployments, insufficient test coverage, and additional cybersecurity delays.

The implications of this overload are substantial, with research suggesting that poor quality software costs around $2.4 trillion a year in the US alone, contributing to the surge in cybercrime and the increase in mega-vulnerabilities like MOVEit. In this context, if AI assistants do end up doubling, or even tripling, the volume of code reviews that developers need to complete, these costs and security issues will become far more prevalent and impactful. As a result, organizations could find themselves with potentially serious economic, reputational, and regulatory consequences.

The five key questions

However, AI generated code can be genuinely transformative for organizations, if the right guardrails are in place. The challenge, therefore, is to find a way to reduce developer toil down to the bare minimum, so that teams can securely and effectively manage the increased volume of code. As such, before launching any such adoption project, there are five key questions every organization should look to answer:

Has automated security been integrated into every phase of delivery? By introducing secure, well-governed pipelines that automate the testing, checking, and verification process, organizations can alleviate a huge portion of the manual code review effort that development teams are currently shouldering.

Are development approaches geared-up to support automated code creation and review? To gain the greatest benefit from automated pipelines, organizations should have effective Agile development approaches in place alongside them. For instance, employing pair or mob programming approaches can help to radically reduce the need for manual code reviews in later stages of delivery and so streamlines the automated testing, checking, and remediation processes.

Are checks being applied effectively? Security policies are only ever as effective as the rate of compliance. Given the pressure that development teams are under to shift code into production quickly, there is often a temptation to cut corners and skip or rush security checks. Therefore, organizations should apply a policy-as-code approach to prevent any new code being released until it meets strict requirements regarding availability, performance, and security.

How is third-party code being authenticated? Incidents such as SolarWinds and MOVEit have shown how important it is that security measures extend beyond an organization's own four walls. However, monitoring and verifying open source software components and third-party artifacts is an incredibly time consuming practice. Therefore, organizations should look to automate as much of the processes they rely on to monitor and control these assets as possible, such as the creation of Software Bill of Materials and conducting SLSA attestations.

Where can generative AI help to remediate security issues? As well as enabling development teams to create code faster, generative AI can be invaluable in helping them to swiftly analyze and remediate vulnerabilities. Every issue identified and fixed automatically is one more task that development teams no longer need to handle. Generative AI can be particularly effective when far-reaching mega-vulnerabilities, such as Log4j are discovered, as they can require thousands of components to be checked and remediated. These tasks can take hundreds of hours if developers need to conduct them manually.

Faster, better, happier

With the market for generative AI coding tools set to see a compound annual growth rate of around 22% over the next decade, it seems likely that a hybrid human/AI approach to software delivery will soon be the norm. While introducing these tools safely and effectively could be a difficult balancing act, there is huge reason for optimism about what it means for the future of the software development industry.

If properly deployed, generative AI can provide instant support to reduce developer toil, by helping them to solve problems, democratise the coding process, and dramatically boost productivity. In short, those organisations that get the transition right can look forward to development teams that are less likely to burnout, spend more time on interesting, high-value strategy work, and generally feel both happier and healthier. As they continue on this journey, companies will find it easier to become more agile and responsive to both customers and the market.

We list the best IDE for Python.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Martin Reynolds is Field CTO at Harness.