Generative AI lures DevOps and SecOps into risky territory

Application security leaders are more optimistic than developer leaders on generative AI, though both agree it will lead to more pervasive security vulnerabilities in software development, according to Sonatype.

generative AI software development

According to the surveyed DevOps and SecOps leaders, 97% are using the technology today, with 74% reporting they feel pressure to use it despite identified security risks.

In fact, most respondents agree that security risks are their biggest concern associated with the technology, underscoring the critical need for responsible AI adoption that will enhance both software and security.

SecOps teams save more time

While DevOps and SecOps respondents hold similar outlooks on generative AI in most cases, there are notable differences with regards to adoption and productivity.

45% of SecOps leaders have already implemented generative AI into the software development process, compared to 31% for DevOps. SecOps leaders see greater time savings than their DevOps counterparts, with 57% saying generative AI saves them at least 6 hours a week compared to only 31% of DevOps respondents.

When asked about the most positive impacts of this technology, DevOps respondents report faster software development (16%) and more secure software (15%). SecOps leaders cite increased productivity (21%) and faster issue identification/resolution (16%) as the top benefits.

More than three-quarters of DevOps leaders say the use of generative AI will result in more vulnerabilities in open-source code. Surprisingly, SecOps leaders are less concerned at 58%. Further, 42% of DevOps respondents and 40% of SecOps leaders say lack of regulation could deter developers from contributing to open-source projects.

DevOps and SecOps leaders both want more regulation

Asked who they believe is responsible for regulating the use of generative AI, 59% of DevOps respondents and 78% of SecOps say both the government and individual companies should be responsible for regulation.

“The AI era feels like the early days of open source, like we’re building the plane as we’re flying it in terms of security, policy and regulation,” said Brian Fox, CTO at Sonatype. “Adoption has been widespread across the board, and the software development cycle is no exception. While productivity dividends are clear, our data also exposes a concerning, hand-in-hand reality: the security threats posed by this still-nascent technology. With every innovation cycle comes new risk, and it’s paramount that developers and application security leaders eye AI adoption with an eye for safety and security.“

The licensing and compensation debate was also top of mind for both groups – without it, developers could be left in legal limbo dealing with plagiarism claims against LLMs. Notably, rulings against copyright protection for AI generated art have already prompted discussion about how much human input is necessary to meet what current law defines as true authorship.

Respondents agreed that creators should own the copyright for AI generated output in the absence of copyright law (40%), and both overwhelmingly agreed that developers should be compensated for the code they wrote if it’s used in open-source artifacts in LLMs (DevOps 93% vs. SecOps 88%).

Don't miss