Application security leaders are more bullish than developer leaders on generative AI, though both agree it will lead to more pervasive security vulnerabilities in software development
September 12, 2023 – Fulton, Md. – New research from software supply chain management company Sonatype reveals how generative AI is influencing and impacting the work of software engineers and the software development life cycle. According to the 800 developer (DevOps) and application security (SecOps) leaders surveyed, virtually all (97%) are using the technology today, with three-quarters (74%) reporting they feel pressure to use it despite identified security risks. In fact, most respondents agree that security risks are their biggest concern associated with the technology, underscoring the critical need for responsible AI adoption that will enhance both software and security.
While DevOps and SecOps respondents hold similar outlooks on generative AI in most cases, there are notable differences with regards to adoption and productivity. Key findings among the two groups include:
“The AI era feels like the early days of open source, like we’re building the plane as we’re flying it in terms of security, policy and regulation,” said Brian Fox, Co-founder and CTO at Sonatype. “Adoption has been widespread across the board, and the software development cycle is no exception. While productivity dividends are clear, our data also exposes a concerning, hand-in-hand reality: the security threats posed by this still-nascent technology. With every innovation cycle comes new risk, and it’s paramount that developers and application security leaders eye AI adoption with an eye for safety and security.“
The licensing and compensation debate was also top of mind for both groups - without it, developers could be left in legal limbo dealing with plagiarism claims against Large Language Models (LLMs). Notably, rulings against copyright protection for AI generated art have already prompted discussion about how much human input is necessary to meet what current law defines as true authorship. Respondents agreed that creators should own the copyright for AI generated output in the absence of copyright law (40%), and both overwhelmingly agreed that developers should be compensated for the code they wrote if it’s used in open source artifacts in LLMs (DevOps 93% vs. SecOps 88%).
Head here to download the full report and learn more about in-depth patterns of generative AI usage, concerns and its benefits.
Methodology
Sonatype commissioned research panel provider Sago to conduct a survey of 400 DevOps leaders and 400 SecOps leaders in the United States whose responsibilities involve software development, coding and developer operations or application security, threat intelligence and analysis, and security operations. The web-based survey was fielded July 12-21, 2023. The margin of error is 3.46%.
About Sonatype
Sonatype is the software supply chain management company. Recognized by globally renowned analysts as a leader in the industry, Sonatype enables organizations to innovate faster in a highly competitive market. We allow engineers to develop software fearlessly and focus on building products that power businesses. Sonatype researchers have analyzed more than 120 million open source components – 40x more than its competitors – and the Sonatype platform has automatically blocked over 145,000 malicious components from entering developers’ code. Enabling high-quality, secure software helps organizations meet their business needs and those of their customers and partners. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on our tools and guidance to be ambitious, move fast and do it securely. To learn more about Sonatype, please visit www.sonatype.com.