When I wrote my first applications in high school, coding was a lot more time-consuming. I didn’t have libraries I could shop through with ready-made bits of code to drop in to save myself time or bridge the gap between the pieces of code I could write to create something more complex. Instead, I had to write everything from scratch. If I wanted to include any kind of image, I would have to draw it with mathematical coordinates, which took a ton of time. It’s almost like programming via Etch-a-Sketch. A friend of mine who spent hours creating a video game for a school project could only use stick figures, but our teacher thought the end product didn’t look very appealing, not realizing how much time and effort creating those stick figures took.
As I’ve moved forward in my career, other developers and I have been able to write more complex applications. Part of that was due to our growing expertise as we learned more. But part of that has also been thanks to the new technology that’s sprung up in the intervening years to make it easier to code faster and build more advanced applications than ever before. And now we’ve got the newest piece of technology here to help: ChatGPT and other AI-powered tools that can write simple blocks of code for developers, in whatever programming language they need.
But as these new tools are used more frequently and at a larger scale, there are important cybersecurity implications. Developers will need to be educated about cybersecurity best practices to ensure that the code produced by these AI-powered tools is secure and not accidentally introducing vulnerabilities. Instead of taking work away from developers, tools like ChatGPT will require them to learn new skillsets when it comes to cybersecurity – because at the end of the day, the human is the one accountable for the code, no matter what machine produces it.
The Evolution of Technology for Application Development
One of the things I love most about software development is that it’s in a constant state of evolution. As a developer, you’re always looking for ways to be more efficient and not write the same code twice – the old mantra of “don’t repeat yourself.” Humans have always tried to find ways to automate mundane, repeatable tasks. Just think of what solutions like TurboTax have done for tax season – just plug in a few pieces of data and boom, your taxes are done. From a developer’s perspective, when we’re able to take out that repetitive lower-level coding work, we can build better, more complex applications.
AI bots like ChatGPT aren’t the first piece of technology that has helped us do that. Instead, they’re merely the next step in the evolution of app development, building off what’s come before.
“Instead of taking work away from developers, tools like ChatGPT will require them to learn new skillsets when it comes to cybersecurity – because at the end of the day, the human is the one accountable for the code, no matter what machine produces it.”
One of the first experiences I had with a tool that helped make my coding life easier so I could focus on higher-level tasks was WYSIWYG (“what you see is what you get,” pronounced “wiz-ee-wig”), which I started using as a developer at IBM. WYSIWYG is a type of low-code/no-code software that allows you to create and edit elements that you need while showing them to you in their final form. For instance, say I need a button for my app. Think about that high school example, where I had to map images out with mathematical coordinates. With a WYSIWYG tool, I can instead create the button in its final form and then tweak as I need to in the tool, resizing it or adding text. Meanwhile, in the background, it creates lines of code that I can then drop into whatever application I’m working on, but in the tool itself, I just see the button. What you see is what you get. You can see how a tool like that would make things easier for app developers. I could spend less time coding buttons and more time on advanced functionality.
Another step in the evolution of coding technology is something called object-oriented programming (OOP). With OOP, people write basic modules of an application (“objects”) that contain data and code. Then as a developer, I can pull multiple pre-written objects together to create my own application. This saves developers time from having to write the same thing over and over again. Instead, you can grab the right objects as you need them, drop them in and move on.
ChatGPT: No More Googling Required?
Before AI-powered tools like ChatGPT, if I were looking for how to write some code in a certain language to perform a particular task, I’d head to Google. There, I’d usually find numerous answers from forums like Stack Overflow, which I’d sift through. There might be multiple answers from different sources that I’d have to compare until I landed on the one I wanted to use.
But as you can see in the image below, with ChatGPT, I don’t have to sift through multiple answers. Instead, I specify the programming language I’m working in and what I need the code to do, and it will serve me up what it believes to be the best answer. You can see how this saves time for developers. ChatGPT can write the code out faster than humans can type, which means less code for you, the developer, to write. By saving you from the mundane “boilerplate” type of development work, ChatGPT frees up developers to focus on higher-level concepts. The result? More advanced apps and faster development cycles.
There’s Always a Catch
Notice how I said ChatGPT serves up what it believes to be the best answer? Therein lies the catch for using an AI tool, and it’s the same challenge that comes with using any prebuilt code. Just because ChatGPT gives you one answer instead of the several you’d find by searching the old-fashioned way doesn’t necessarily mean it’s the best answer. This is a tool that’s still in the beta stage, after all. Developers should still evaluate and cross-check the code that ChatGPT serves up before using it in any application.
There are plenty of examples of breaches that started thanks to someone copying over code and not checking it thoroughly. Think back to the Heartbleed exploit, a security bug in a popular library that led to the exposure of hundreds of thousands of websites, servers and other devices that used the code.
Because the library was so widely used, the thought was that, of course, someone had checked it for vulnerabilities. But instead, the vulnerability persisted for years, quietly used by attackers to exploit vulnerable systems.
And that is the darker side to ChatGPT: attackers also have access to the tool. While OpenAI has built some safeguards into the tool to prevent it from answering questions regarding problematic subjects like code injection, the CyberArk Labs team uncovered some ways in which the tool could be used to create polymorphic malware. Even if these types of activities are safeguarded against as OpenAI continues to refine the tool, attackers can still use it the same way regular developers can – to cut down on manual coding time and produce malicious code faster than they could before.
Always Verify
So, just like so much else in the cybersecurity space when it comes to technology, the solution is to always verify. Developers will have to cross-check the code that ChatGPT provides with other sources to ensure there are no unintentional vulnerabilities or errors within. Because they don’t have the guardrails of peer review that they used to have, developers have to take accountability for the machine-written code. They will have to educate themselves on cybersecurity best practices and work with their security teams to ensure they can appropriately validate any machine-written code. At the end of the day, though these tools are helpful, the human using the tools is the one responsible for what is produced; the machine isn’t the one that will get sued or disciplined if something goes wrong and the organization is breached. But as long as developers take the time to evaluate the answers that ChatGPT provides and follow cybersecurity best practices, it and other AI-powered tools like it can help software development reach new heights.
John Walsh is a senior product marketing manager at CyberArk.
