Security First In An AI Era

Uploaded on 2025-05-21 in TECHNOLOGY-Key Areas-Artificial Intelligence, FREE TO VIEW

Putting security first makes a huge difference to any organisation, ensuring a proactive, risk-aware culture that protects assets, data and reputation from evolving threats. Perhaps surprisingly, it’s also possible to reap the rewards without hindering the software development team.

Companies shouldn’t look to reinvent the wheel and educate everyone in new practice, but rather, invest in leaders that drive this culture. They are the ones who will propagate learnings down and throughout teams.

Accountability matters, and organisations need to look for and measure continuous improvement, not some arbitrary finish line.

Easier & Harder With AI

In today’s AI-enabled development landscape, where code is being generated and deployed faster than ever, the stakes are higher. AI can supercharge productivity, but it can also introduce security risks at scale – from dependency sprawl to misconfigured open-source packages.

Vulnerabilities could spread out not only to customers, but to the whole open-source community in worst case scenarios.

The rise in AI tools and AI-generated code is changing developer practices, with 96% using AI coding assistants to streamline their work. The positives include gains spent accelerating production or finding space for more innovation, but the negative impacts are borne mainly by security teams.

One-fifth of AppSec teams surveyed said they face significant challenges securing AI-generated code because of the increased pace of production.

Accelerating part of the overall SDLC but causing bottlenecks elsewhere creates pressures and may lead to finger pointing. What’s actually needed is clear end-to-end collaboration to really prove the value of AI coding investments.

Security Early, Security Continually

Embedding security into the development process early and continuously is key if software developers are to provide products that can overcome the risks that AI co-pilots introduce, as well as those deployed by criminals to test defences and exploit vulnerabilities at scale.

The traditional security solutions that have become core to the developer ecosystem weren’t designed for the evolution of the modern development lifecycle or the sudden increase in speed driven by AI. So now, these tools slow the workflow of AppSec teams. This leads to friction between developers and security.

If organisations adopt tools that specifically secure human and AI-generated code then they can maintain a proactive, scalable security framework without impeding developer productivity or limiting the usage of AI. These tools – combined with smarter working practices and leadership that supports security measures rather than working around them – create a robust, sustainable approach to software security.

Security checks need to be embedded into pre-commit workflows and build systems. When managed earlier in development, developers remove the need for costly and complex remediation. The traditional way leads to extensive patching, ‘five alarm fire’ emergency responses and occasional damage control and remediation of compromised systems. Set up a defensive line that reduces the number of threats to address after code is committed.

And for AI workflows, where security blind spots can stem from unchecked open-source dependencies used for data pre-processing, model training or inferencing, shifting left is critical.

Robust build system security enhances supply chain integrity. It verifies dependencies, automates vulnerability scans, and enforces security policies within the build process. AI workflows make this critical, as unchecked open-source dependencies create security blind spots, when used for data pre-processing, model training, inferencing or any other task.

Getting Practical: Building Security-First Culture

A culture that genuinely prioritises security and security awareness, which shifts left, really does require organisational cultural change. Operations and security teams must have common cause, empathy, and business goals. Fostering collaboration and shared responsibility helps linked functions work together cohesively and securely.
 
DevSecOps is first and foremost a culture. DevSecOps culture focuses on uniting the normally siloed roles of Development, Security, and Operations into a collaborative shared-responsibility paradigm. It seeks to break down barriers, finger pointing, and deflection. Instead, it aims to build empathy and common goals among various disciplines within the organisation.

To realise maximal gains from early vulnerability detection, pre-commit and build security measures should be automated and seamless.

Security scans should not be triggered manually. Aim for consistent enforcement without disrupting workflows by automating checks integrated into pre-commit hooks and build pipelines. Sustained success comes from comprehensive and context-aware security tools. Users must get immediately meaningful analysis, helping them solve challenges without increasing their cognitive or administrative loads.

Making it work and making it easy are essential for successful security with DevSecOps strategies rapidly evolving with AI. AI development is increasingly dependent on open-source tools and libraries, which makes securing these dependencies absolutely essential.

Danny Allan is CTO at Snyk 

Image: Paris Bilal

You Might Also Read: 

Managing Zero-Day Vulnerabilities In The Real World:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« Reimagining Cybersecurity In The Age Of Organised Threats
Nova Scotia Power Suffers Major Data Breach »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

Cyren

Cyren

Cyren is a cloud-based, Internet security technology company providing threat detection and security analytics.

Cyber Triage

Cyber Triage

Cyber Triage is an automated incident response software any company can use to investigate their network alerts.

IGX Global

IGX Global

IGX Global is a provider of information network and security integration services and products.

Puleng Technologies

Puleng Technologies

Puleng provides customers with a client-centric strategy to manage and secure the two most valuable assets an organisation has - its Data and Users.

ICT Reverse

ICT Reverse

ICT Reverse is one of the UK’s leading, fully accredited providers of ICT asset disposal and secure data erasure.

Data Security Inc

Data Security Inc

Data Security, Inc. is the leading American manufacturer and supplier of hard drive degaussers, magnetic tape degaussers as well as hard drive and solid state destruction devices.

C5 Capital

C5 Capital

C5 Capital is a specialist investment firm that exclusively invests in the secure data ecosystem including cybersecurity, cloud infrastructure, data analytics and space.

North East Business Resilience Centre (NEBRC)

North East Business Resilience Centre (NEBRC)

The North East Business Resilience Centre is a non-profit organisation here to support businesses in the North East of England in protecting themselves from cyber crimes and fraud.

Twingate

Twingate

Twingate help organizations secure and manage access to their technology resources in a world where people work from anywhere.

CodeHunter

CodeHunter

CodeHunter is a malware hunting SaaS platform designed to detect all variations of malware, known and unknown, without the need for source code or signatures.

Vercara

Vercara

Vercara offers a purpose-built, global cloud security platform that provides layers of protection to safeguard businesses’ online presence, no matter where an attack comes from or where it is aimed.

Knownsec

Knownsec

Knownsec provides customers with cloud defense, cloud monitoring, and cloud mapping products and services with "AI + security big data" as the underlying capability.

Effectiv

Effectiv

Effectiv is a real-time fraud & risk management platform for Financial Institutions and Fintechs.

Bestman Solutions

Bestman Solutions

As a specialist cyber security practice, we believe that people are an organisation’s most valuable asset. Success depends on hiring the right people, and this is where we come in.

National Renewable Energy Laboratory (NREL) - USA

National Renewable Energy Laboratory (NREL) - USA

NREL is transforming energy through research, development, commercialization, and deployment of renewable energy and energy efficiency technologies.