It might be nice to have sophisticated cybersecurity tools to help detect vulnerabilities, but code safety still needs to start with developers getting the basics right.
This focus on the foundations means adhering to fundamentals, such as turning on two-factor authentication (2FA) and adopting industry standards and best practices, said Mike Hanley, GitHub’s chief security officer (CSO) and senior vice president of engineering.
Also: The best VPN services (and how to choose the right one for you)
The Microsoft-owned software development platform has more than 100 million users and sees its fair share of targeted cyberattacks. However, the form of these attacks has not changed significantly during the past decade. The majority of these atttempts are phishing and social-engineering attacks, which aim to take over the credentials and accounts of software maintainers, as well as exploits of web application vulnerabilities.
With cybercriminals largely sticking to the same tactics, it is critical that security starts with the developer. “You can buy tools to prevent and detect vulnerabilities, but the first thing you need to do is help developers ensure they’re building secure applications,” Hanley said in an interview with ZDNET.
Also: The best password managers to save you from login hassle
As major software tools, including those that power video-conferencing calls and autonomous cars, are built and their libraries made available on GitHub, if the accounts of people maintaining these applications are not properly secured, malicious hackers can take over these accounts and compromise a library.
The damage can be wide-reaching and lead to another third-party breach, such as the likes of SolarWinds and Log4j, he noted. Hanley joined GitHub in 2021, taking on the newly created role of CSO as news of the colossal SolarWinds attack spread.
“We still tell people to turn on 2FA…getting the basics is a priority,” he said.
He pointed to GitHub’s efforts to mandate the use of 2FA for all users, which is a process that has been in the works during the last one and a half years and will be completed early this year.
Also: What are passkeys? The life-changing magic of going passwordless
With the security market now flooded with “flashy” offerings, it can be easy for professionals to overlook the need for a simple deadbolt on the door.
The basic controls are going to be more effective in securing an organisation’s environment, alongside the adoption of industry standards and best practices, he said. These practices include Cloud Security Alliance’s published benchmarks and Singapore’s Safe App Standard, which is built on “common sense” basic security practices and input from both private and public organizations to help focus on the most essential components.
Redefining shift-left development with AI
Artificial intelligence (AI), including generative AI, is also emerging as an important companion for software developers, particularly in identifying potential vulnerabilities as they write their code, according to Hanley.
Also: How to use ChatGPT to write code
AI redefines the shift-left model and helps prevent developers from writing vulnerabilities in their code right from the start, he said.
The shift-left approach involves testing software earlier in the development lifecycle, so its quality can be assessed and refined throughout the development stage.
With software vulnerabilities often discovered after the codes are released to the public — and sometimes it takes years before they are uncovered, such as in the case of Log4j — the ability for AI to identify and provide suggestions to plug potential vulnerabilities before the software is published is a game-changer for developers, Hanley said.
According to research from GitClear, which looked at 153 million changed lines of code written from 2020 to 2023, the proportion of codes that are reverted or updated less than two weeks after they are written is predicted to double this year compared to 2021.
Also: Implementing AI into software engineering? Here’s everything you need to know
Pointing to GitHub’s AI-assisted software development tool, Copilot, Hanley said the technology aims to not only help developers write code, but also to review and fix it.
GitHub Copilot is touted to provide code suggestions that are aligned with a project’s context and style conventions, offering developers the ability to decide what to accept, reject, or edit. The tool can be integrated with other editors, such as Visual Studio and Neovim, and can suggest syntax and code in several languages, including Python, JavaScript, Ruby, and C#.
First introduced in October 2021, GitHub Copilot is currently used by more than one million developers and 20,000 organizations, GitHub CEO Thomas Dohmke said in a June 2023 post. The AI-assisted tool has generated more than three billion accepted lines of codes.
Its users on average have accepted almost 30% of code suggestions, with this figure climbing as developers have gained familiarity with the tool, Dohmke said, citing a sample analysis of 934,533 GitHub Copilot users.
Based on the 30% productivity rate, and a projected 45 million developers in 2030, he said generative AI developer tools can potentially add 15 million “effective developers” to the global capacity by 2030, boosting GDP by more than $1.5 trillion.
Also: How AI-assisted code development can make your IT job more complicated
GitHub Copilot users also report coding 55% faster with the tool, he noted, adding that 46% of codes were completed by the AI-powered technology in files where it was activated.
Like self-driving cars, though, AI-assisted development tools are not a replacement for human developers and code review processes, Hanley said. They are companion tools and, as the moniker suggests, co-pilots for software developers are more effective when they work together with their human counterparts.