According to JFrog’s latest annual Software Supply Chain State of the Union report, although many companies are employing artificial intelligence for security purposes, there’s a marked hesitance to adopt it for coding.
The report, which draws insights from more than 7,000 organizations globally, revealed that despite nine in 10 integrating AI/ML-powered tools in security scanning and remediation efforts, only one in three (32%) indicated that their organizations use AI/ML for coding.
This disparity highlights the cautious approach towards using AI in the development process, likely because many are concerned about potential vulnerabilities that AI-generated code could introduce to enterprise software.
Companies are worried about using AI for coding
JFrog CTO Yoav Landman commented: “DevSecOps teams worldwide are navigating a volatile field of software security, where innovation frequently meets demand in an age of rapid AI adoption.”
While security remains a core consideration, the study also revealed a divide regarding the optimal timing for security scans. Around 42% believe scanning during code writing is best, while 41% advocate for pre-deployment scans on new software packages when bringing them from an open-source software repository.
The report also revealed how security seems to be hindering productivity, with around two in five saying that approval to use a new package/library takes up to one week.
Furthermore, the report raises concerns about the misinterpretation of Critical Vulnerability Severity Scores (CVSS) – despite 60% of security and development teams dedicating around a quarter of their time to addressing vulnerabilities, as many as three-quarters (74%) of high or critical CVSS scores were found to be inappropriate in common scenarios.
Shachar Menashe, Senior Director of JFrog Security Research, summarizes: “Knowing where to put those tools, use their team’s time, and streamline processes is critical to keeping their SDLC secure.”
In an era increasingly characterized by cyber threats, informed decision-making, and strategic resource allocation are more important than ever. Fortunately, the report also reveals a positive outlook – while threats are increasing, severity may not be (or at least to the same degree).