Risks and precautions when using AI for software development in organizational environments
The rise of AI-based software development tools poses a growing risk to the security of organizations.
Many developers feel tempted to use these new AI tools indiscriminately to improve the quality and productivity of their software, without considering the risks this may bring to the organization they work for. The novelty and rapid evolution of these technologies make them hard for some organizations to manage.
The core issue is information protection: today, almost none of these tools meet the SOC 2 Type 2 certification, which represents a serious risk. The lack of this certification makes it impossible to guarantee that the data or code shared to train the context or used as input parameters for the AI are handled correctly and confidentially. Only a handful of tools, under enterprise contracts, hold this certification.
Using free tools without approval from the InfoSec area (the organization’s security team) puts the company — and even our jobs — at risk, because an organization’s code is intellectual property and may contain business rules of great importance and value, which should not be shared with third parties, especially competitors.
While most AIs do not identify the user or the origin of the data, this does not eliminate the risk: we are training a mass-use AI on the workings of our software. For that reason, it is essential to have a data confidentiality agreement and to make sure the service provider holds the SOC 2 Type 2 certification, even just to define responsibilities in case of breach.
Any AI for software development that operates in an enterprise environment must hold an up-to-date SOC 2 Type 2 certification, which guarantees the confidentiality of the context and the data shared.
When is it appropriate to use free AI tools, or tools that do not meet SOC 2 Type 2?
Their use is appropriate in open source projects or for learning purposes (as long as the code is independent and does not belong to any organization). If the Git repository is public, we can use the AI without concern.
Conclusion
Use AI tools for software development, but do it responsibly and in the right environment. If in doubt, consult your organization’s security area (InfoSec) on whether such a resource is appropriate — preferably by email, to have a record.
It is essential that organizations that want to incorporate AI into their processes hire an appropriate service and verify that the provider company holds the SOC 2 Type 2 certification. In addition, the contract should include liability and indemnification clauses for any incident.