Session: Community-centric approaches to securing AI-generated code
AI coding assistants (Duet AI, CodeWhisperer, GitHub Copilot) are positioned as helping developers work faster, get support in areas where they lack expertise, and identify ways to refactor or optimize code. But these assistants may also introduce new security risks, leaving developers vulnerable to malware attacks or reliance on “abandonware.” For example, the underlying models for these tools are often trained on data that is at least a few years old, and some of the open source libraries that are suggested for use could be deprecated or potentially even malicious. It’s important for developers to have access to free and open source tools that can be automated as part of their SDLC, working alongside coding assistants to keep code secure and vet suggested external dependencies.
In this session, we’ll discuss approaches to ensuring safe ‘mergeability’ of LLM-generated code that build on best practices established in successful open source communities. We help developers understand how open source projects like sigstore are tackling proof of origin, which will become increasingly important in the emerging world of AI-supported development.
This session will be recorded