Saturday, November 25, 2023

How To Combat The 3 Risks Generative AI Brings To Source Code

 


Source code security is a topic that I am passionate about.  In fact, I’ve got a whole whitepaper Sort of on that topic (it deals more specifically with on how to keep a good software update/patch schedule).  As I have written about before countless times, this topic is going to be one of the top Cyber issues in the coming year, and quite possibly for a long time to come. 

With pretty much everything going digital and being connected amongst one another, web apps and mobile apps are going to be the way things are headed.  But yet another problem that is compounding this grave issue is once again, Generative AI.  Love it or hate it, this too is going to be around for a long time to come also. 

Many businesses are now starting to send source code now using Generative AI, in an effort to automate the process.  It used to be done manually, but now longer is it the case.  This is a very vulnerable situation for those organizations that rely heavily upon outsourcing when it comes to building web or mobile apps.

For example, suppose Company ZYX has its base of operations here in the United States.  Some of the source code is developed here, but a major part of it is developed overseas, such as India.  Human intervention at one point was probably used to ship the code over to the headquarters in the US.  But now, Generative AI is being used for this, so probably nobody is really checking twice to see if there have been any issues or vulnerabilities.

So now, this is the big question:  How can US companies (or for that matter, any business really located throughout the world) protect themselves from receiving malicious code when automated means are being used for distribution?  Here are some tips that any CISO and their IT Security team can use:

1)     Mandate the use of code signing certificates:

You may be wondering what exactly this is?  Well, here is a technical definition of it:

               “Code Signing Certificates are used by software developers to digitally sign applications, drivers,      executables and software programs as a way for end-users to verify that the code they receive           has not been altered or compromised by a third party.”

               (SOURCE:  https://www.digicert.com/signing/code-signing-               certificates#:~:text=Code%20Signing%20Certificates%20are%20used,compromised%20by%20a             %20third%20party.)

               In a way, this can be compared to a chain of custody forms that are used in digital forensics             investigations.  In order for the evidence to be admissible to a court of law, there must be a               record of all of the authorized individuals who had access to it.  This is to ensure that nothing              has been altered or changed in the process, and that everything is still intact.  This is also true               for the source code.  In order to make sure that that it has maintained its integrity and that it             has not fallen into the wrong hands, software developers use these kinds of signing certificates.          However, for the longest time, this was an optional feature businesses to implement.  But now    people, especially those in the Cyber industry, are now stating that it should be a mandatory in     order to keep the attack surface to a minimum.

               Also keep in mind that the following questions have to be answered:

               *Who in your organization is signing code?

*Where are private code-signing keys stored?

*What software is being signed?

2)     Maintain visibility:

Even today, many businesses still go on the presumption that outside suppliers can be trusted, as long as they have a good reputation.  However, do not take anything for granted.  In this regard, you have to think like the Zero Trust Framework.  You have to go on the premise that absolutely nobody can be trusted, and that everybody must go through at least three layers of authentication in order to have their identity to be fully confirmed.  So with this in mind, you and your IT Security team have to keep a close eye on the rights, permissions, and privileges that are being assigned to everybody, especially even the software development teams that create your ever important source code.  In the end, always implement the concept of Least Privilege, which simply states that nobody should receive any permissions than are absolutely necessary to have.

3)     Assign a responsible party:

Back in the day, when source code was being developed, it would have been the responsibility of the IT Security team to ensure its safekeeping.  But with Generative AI, remote work, the use of both DevOps and DevSecOps teams, there are now hundreds, and possibly even thousands of people who could come into contact with the source code in one way or another.  Therefore, you need to find somebody or some entity that you can trust who will actually oversee the ownership of the source code.  Once that has been determined, then your IT Security team should work closely with them in order to make sure that all of the necessary protocols and controls are indeed put into place.  Try to find no more than two or three people, or just one entity, to take responsibility for the ownership.  The more involved this process gets, the worse off it will be in the long run.

My Thoughts On This:

According to a recent study conducted by Deloitte, over 50% of businesses will be using Generative AI for automation purposes.  And as you can imagine, the shipping of source code will be a big part of this.  While I am not against the use of AI completely, there needs to be sense of checks and balances here.  Cybersecurity needs both aspects:  the technology and the humans in order to really mitigate the risks of security breaches.

More information about this study can be found at the link below:

https://www.forbes.com/sites/serenitygibbons/2023/02/02/2023-business-predictions-as-ai-and-automation-rise-in-popularity/?sh=2aeab99e744b

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...