AI/ML, AI benefits/risks, DevSecOps

Why quality source code has become more important than ever in the AI era

Share
Why secure source code matters.

CEOs and executives understand the importance of software for their future businesses. As a society, we depend on software and the code it’s built on in all aspects of our lives. For better or worse, this dependence will continue to increase as technology advances.

Click for more special coverage

Governments around the world are taking notice and starting to develop frameworks and standards around the quality and security of software code. New regulations on software security are gaining momentum as policymakers work to protect both consumers and businesses from costly — and common — cyberattacks. In February, for example, the White House Office of the National Cyber Director (ONCD) released a report underscoring the need for companies in all industries to prioritize the adoption of memory safe programming languages as a measure of improving software security.

This serves as only one instance of the government catching up to the need for secure high-quality software. There’s also NIST’s Cybersecurity Framework 2.0, the White House’s new secure software development attestation forms, and new Payment Card Industry Data Security Standard v4.0. All of these moves are on the heels of EU legislation last year that added software to its product liability laws and regulations.

How can companies ensure their software adheres to these new standards and legal requirements? The answer starts with the software’s foundation: source code.

Security starts with quality source code

Software only runs as secure as the quality of its code, and security starts at the very beginning of the development process.

Bugs and issues introduced at the source code level compound, creating wider security holes that become easier for threat actors to exploit. Those problems take longer to rectify as they move through the software development lifecycle (SDLC). Identifying and addressing code quality issues early-on reduces technical debt and also helps mitigate security risks that can cost businesses billions.

The numbers speak: a study from McKinsey shows the cost of tech debt attributed to bad source code can stack up at around 20% to 40% of the value of a company’s entire technology budget. With software at the forefront of business success, that’s significant. Our research shows that there’s one issue found in every 27 lines of code. This all adds up to tens of thousands of exposures to vulnerabilities, threats, and tech debt for companies that prioritize software and own millions of lines of code.

Then there’s burnout to contend with. Developer demands are higher than ever; already, nearly 60% of developers say they’re experiencing burnout. The more code to churn out to support new products and features, the more issues we’re going to see by default. Twice as much code means twice the amount of mistakes. Exhaustion and stress make us all more prone to mistakes, which can lead to design flaws and bugs that become security issues.

AI further complicates burnout. While AI has the power to augment developers’ ability to write more code, it doesn’t come without drawbacks and risks. AI-generated code can only be effective when in the right hands and with the right checks in place. Code churn - in light of the rapid adoption of AI code generators -  will double by the end of the year.

This all spells trouble for companies that prioritize features over quality.

Who’s responsible for code quality?

Companies as a whole must understand the value of code as an asset and the risks of bad code for their businesses, but doing so starts at the top. The board and C-Suite should have a stake in ensuring their development team produces top-quality code that meets compliance and risk management requirements.

The development teams building software also have a responsibility. Developers understand how critical their work is and the benefits of “shift-left,” testing code and addressing issues early so that they don’t compound as code moves through the SDLC, saving tech debt or potential security issues from accumulating.

Companies need to equip their developers with the right tools and automation. It’s not practical to ask a developer to manually code and test every single line of code. AI, automated code analysis, and a robust “Clean as You Code” software development framework can greatly help offload the more tedious work so developers can focus on higher-value design tasks.

By continually scanning the code base and each addition or modification for potential issues, developers can code with ease while business owners can have confidence in the quality and security of the outcome.

No organization wants its valuable source code exploited. They want to ensure the foundation of their software – their source code – doesn’t leave them exposed or create issues that may result in financial loss or reputational damage.

The more we rely on AI to accelerate code and help keep up with business demands, the more quality will come to the forefront. It’s up to business leaders to create a culture of transparency and equip their developers with the tools they need to build high-quality, secure software. It’s also up to leaders to monitor progress through reports and analysis so they understand where their organizations stand on software and code quality. Only businesses that see software and code as a critical business asset will reap the rewards of digital transformation.

Harry Wang, vice president of strategic partnerships, Sonar

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.