Why You Must Enforce AI Control Policy ASAP
Snir Karat
Security Executive, Head of Security Supporting organizations to successfully complete their security transformation journey.
The use of AI is increasing rapidly and it’s transforming the way developers write code. It is much easier for a developer to ask an AI engine to complete a code module or to generate one than to do so by him or herself.
Given the tight timelines in agile methodology and the available technology, it is far more likely that the developer will use AI instead of writing it manually.
The PyPi Attack
Recently we have witnessed the PyPi supply chain attack which demonstrated that code supply chain attacks are very effective for attackers. They allow the attacker to spread his polluted code to well-known vendors, by manipulating the code supply chain.
PyPi is a repository of python modules or functions. Developers can import them into their Python scripts, so they don't have to reinvent the wheel every time they are building a code module.
We define this a supply chain attack because of where and whom it came from. 170,000 developers trusted the fake URL and used it in their code.
AI Engine Indexes Everything
So, by now you get the idea why code supply chain attacks are so attractive to hackers, and why developers can’t resist using these shortcuts. AI engine poses another threat, as it indexes all queries in order to evolve and refine future searches.
Let’s say you have a developer with a task to complete a backend login page by the end of the day. He has some of the code with the relevant DB tables lying in one of the internal repositories, so he uploads it to some AI engine and asks the engine to complete it. Now part of your source code is indexed, and may show up in another search result out on the internet.
This scarry scenario happens all the time, and it won’t stop until you develop an AI control policy for your organization.
领英推荐
Gain Back the Control
To avoid this growing threat, organizations have to develop AI policies which instruct employees how to use AI engines, define what is and isn’t allowed and gain control by being proactive.
Organizations with higher security maturity will implement a specific monitoring tool to enforce such an AI policy.
?
?
ABOUT THE AUTHOR
With over twenty years of expertise in offensive and defensive security, I stand at the forefront of security innovation, blending strategic insight with a business-driven approach to unlock growth and success. My prowess in cloud security transforms SaaS products into strong and resilient tools for facing today’s threat landscape, engaging risks, and driving impactful mitigation. Renowned for crafting sophisticated strategies and solving complex challenges, I guide brands through the cloud transformation age with precision and forward-thinking leadership, setting new benchmarks in security excellence.
?
?
?