AI and Open-Source Tool Integration Causes Concern in the Security Community

The software development world changes with the times. With more sophisticated threat actors worldwide, more sophisticated mechanisms must be utilized in the software development lifecycle. Some of the newer methods being used in Continuous Integration/Continuous Development (CI/CD) Pipelines are AI and open-source tools. These types of tools make the development of software much swifter and easier.

However, it can cause many issues with security teams within an organization. It is much harder for security teams to vet an open-source or AI tool as the open-source tools tend not to be questioned as to whether they came from a trusted source, while AI tools are not at a stage where they can be fully trusted in a software development lifecycle, as AI still makes mistakes.

Though AI and open-source tools help the developers as they automate many processes and make the CI/CD pipeline faster, this introduces a wrinkle in security teams. The concern is that developers are putting speed ahead of security. By prioritizing speed over security, many attack vectors open up to threat actors with these AI and open-source tools.

Additionally, developers want to stay competitive with other developers of rival companies, so not using tools like AI will put them behind the curve, thus putting them at a disadvantage with competitors. Before we dig into the threats these tools introduce, let’s first look at code signing and CI/CD pipelines.

Understanding CI/CD Pipelines and Code Signing

Code signing is a relatively easy process to understand, and it starts with a Public Key Infrastructure or PKI. The signer will request a code signing certificate from the PKI, thus receiving the public-private key pair they can use to sign the code. The key pair involves a public key, which is mathematically linked to the private key. The public key is a key that anyone can see and utilize, while the private key is one that only the certificate holder can utilize. The point of this code signing certificate is that the signing of the code is associated with the specific user who owns that certificate.

The actual code signing process involves hashing the code first. Hashing is a process where code or a document is fed into a hashing algorithm. This algorithm then converts the file into a hash digest, which is unreadable. Similar to encrypting, the hash digest is an unreadable mix of letters and numbers; however, unlike encryption, hashing is one-way. This means the hash digest can never be reversed to get the original text.

This hash is then sent to a Hardware Security Module (HSM) that stores the private key to the code signing certificate, and that private key is used to generate a signature for the code. The signature is then sent back to the client and bundled with the code. This signature ensures that the signer authenticates that the code is free of malware or viruses.

Now that we understand how code signing works, where does it work in the CI/CD pipelines software developers use? A CI/CD pipeline utilizes multiple tools for each phase of the software development lifecycle, which automates and simplifies the software development process. Tools like Jenkins can be incorporated with code signing to create a digital signature as the final step.

Tools like SBOM can be used before code is put into GitHub to check for a specified amount of vulnerability. Virus scanners can also scan code for viruses throughout the process, thus giving end-users faith in their computer software. As you can see, tools like AI or open-source tools could be a great way to speed up your CI/CD pipeline, but using these tools means you are compromising security for speed, which is never recommended.

Threats Faced by Open Source and AI Tools

Open-source or AI tools are great ways to improve and speed up your CI/CD pipeline, but many security concerns lie in these new types of tools. There are issues with the safety of open-source tools. Since the tools are open source, you cannot verify where they are from or who has changed or updated them. This causes issues with security because you want to provide software that an end-user can be confident has been securely created and managed.

Open-source tools can open flaws in a CI/CD pipeline, allowing threat actors to have new attack vectors for infecting victims with malware and viruses. There are many different factors involved in the use of AI tools. AI tools introduce the idea of privacy risks or intellectual property issues, which are problems when handling customer data.

One of the ways you can handle these threats and issues is by balancing your security and speed choices by making sure that you have a good level of speed in your pipeline while not sacrificing security. Making sure you have enough security in place in your CI/CD pipeline while still being able to work quickly and efficiently is very important as well. Finding that balance can be difficult while still staying competitive, but it will help a lot in the long run.

Conclusion

Finding that balance of speed and security is very important and can be a difficult task for a smaller team. Luckily, Encryption Consulting can help. We can help ensure that your compliance needs are met, as well as your code signing needs. Our platform, CodeSign Secure, provides a number of different resources that you will use within your CI/CD pipelines.

Along with code signing, CodeSign Secure allows you to use its SBOM integrations to scan code for vulnerabilities before uploading it to GitHub. You can also integrate with your existing CI/CD pipelines, such as Jenkins, TeamCity, or Azure DevOps. To learn more about CodeSign Secure, reach out to us at www.encryptionconsulting.com.