Code Intelligence Blog

Impact AI adoption SLDC on Software Testing | Blog | Code Intelligence

Written by Natalia Kazankova | Jun 11, 2024 2:25:58 PM

With AI finding adoption throughout all stages of the development process, the SDLC as we know it is becoming a thing of the past. Naturally, this has many implications for the field of software testing.

This article will discuss how the SDLC has evolved over time, going into detail on the impact that AI adoption is having on both software development and software testing.

Contents

 

Software testing challenges: adapting to the evolving SDLC

The evolution of the SDLC through numerous waves has allowed processes surrounding dev ops tasks to become more efficient but not necessarily more secure. Here are some of the main ways the SDLC has evolved and what milestones and issues these have caused along the way. 

Open-source vulnerabilities 

Open-source has been a key driver of developer productivity, allowing teams to utilize existing software libraries rather than creating everything from scratch. This has allowed for the significant acceleration of release cycles - but with speed comes risk.

A 2022 security report that scanned 1703 open-source codebases found that 84% of them contained at least one vulnerability, 89% of the components in codebases were over four years old, and 91% appeared stagnant, with no new developments or updates being applied in two years. Given that supply chain attacks were the number one attack vector in 2022, such findings showcase the immense risk of untested third-party code and underline the importance of extensive, careful testing and monitoring.

API vulnerabilities

APIs are vital for integrating proprietary data with third-party assets, serving as vital components in application modernization and interoperability. While their codebases are amongst the most rapidly expanding within companies, they are also highly vulnerable to increasing attacks.

A Google Cloud API security study carried out in 2022 found that 50% of organizations have experienced an API security incident, and 62% of decision-makers have had an API security incident in the past 12 months. Despite such a high risk of vulnerabilities, only 40% of organizations have a complete API strategy in place, which highlights the importance of the need for robust security testing measures.

Vulnerabilities produced by AI-Code Tools

AI code assistants, such as GitHub Copilot and Amazon CodeWhisperer, are the latest big thing, saving developers significant time and effort by automatically generating code snippets or suggesting improvements.

However, research from Stanford University found that code generated through AI assistants is significantly less secure than code written by humans. This can easily lead to vulnerability issues. Another significant finding from the study was that developers place too much trust in these tools, overestimating their capabilities.

Such findings highlight the need for more robust testing solutions. As the rise of AI assistants in code generation is inevitable, they will, in turn, lead to a surge in the volume of code produced. This increase will require a more rigorous and efficient testing process to ensure that all code is secure before being shipped. 

Where traditional testing methods fall short

In light of such security challenges, traditional security testing methods such as SAST and DAST are still useful for gaining insights but often fall short as they lack the capabilities to detect deep-routed vulnerabilities with precision.

Static Application Security Testing (SAST)

SAST analyzes code without executing it.  Though it has certain benefits like early detection, unbiased testing, comprehensive analysis and support for multiple languages, it has some limitations, which include:

  • Lack of Runtime Context: SAST tests code without executing it, which means it misses issues that are dependent on runtime configurations or user input. 
  • False Positives: Another issue with SAST solutions that results from lacking runtime context is their susceptibility to producing false positives. Developers might receive numerous findings, only to discover that most of them are not actual issues nor relevant to the application. This can create a time-consuming process of sifting through the findings to determine which are valid.
  • Reproducibility Issues: SAST does not provide information about the input that triggered a finding, making it challenging to reproduce it.

 

Dynamic Application Security Testing (DAST)

DAST, in contrast to SAST, works by launching automated scans that mimic the way hackers operate, aiming to detect responses that are different from an anticipated set of results. While it overcomes some shortcomings of SAST, as it can scan applications during runtime,  it presents its own set of challenges. These include:

  • No Insights Into Source Code: It's hard to draw conclusions from test results as DAST runs blindly, i.e. without leveraging any insights about the source code to guide test creation. This can result in it missing deeply hidden bugs and vulnerabilities.
  • Increased Testing Time: Utilizing DAST often leads to a slower testing process, even when automation is employed. 
  • Late Results in the CI/CD Pipeline: DAST is usually done towards the later stages of the dev process, as it requires executable code. This can be particularly time-consuming, especially for larger, more complex applications.
  • Potential Need for Manual Testing: In instances where automatic execution and usage of the application aren't feasible, DAST may need to be replaced by manual testing with each release. This can add additional time to the development process.


Enhancing software testing with AI-powered whitebox dynamic testing

Today’s SDLC demands testing solutions that empower developers to deliver robust software quickly without compromising on security or quality.

AI-powered white-box testing is one new promising approach that can be used to secure both human and AI-generated code efficiently before it is shipped.

It’s main advantages include: 

  • Gaining a full understanding of an application’s Internal Design: Unlike SAST and DAST, AI-powered white-box dynamic testing can use code coverage measurements to leverage the internal design of the software. This allows it to generate more intelligent and comprehensive test cases.
  • Leveraging self-learning capabilities: By utilizing genetic algorithms, dynamic white-box testing tools can learn from previous test run data to continuously refine and test inputs.
  • Integrating with existing tests: AI-powered white-box testing can integrate seamlessly with existing unit tests for fully automated testing at every code change, allowing the detection of bugs before they enter the codebase.

AI-powered whitebox testing brings much greater precision and control to your software testing efforts.

Firstly, through its self-learning approach, it can uncover deeply hidden bugs and vulnerabilities that traditional methods would miss, providing a more thorough examination of the code. 

Secondly, its automated and scalable nature allows seamless integration with Continuous Integration/Continuous Deployment (CI/CD) pipelines, aiding development teams in identifying issues without slowing down the overall process. 

Thirdly, by identifying false positives and duplicates it ensures that any issues found are relevant, making the entire testing process more productive and targeted.

Combining AI white-box testing and large language models in software testing

While AI-powered white-box testing is effective at finding deep-rooted security issues, its precision can be further amplified when combined with the Large Language Models (LLMs) to dig even deeper and identify vulnerabilities en masse.

LLMs have the power to analyze vast amounts of code, identify potential entry points for genetic algorithms, and configure test harnesses. After this, AI-powered whitebox testing can generate inputs to attack those entry points and self-learn from previous data to continually enhance its understanding of the software's behavior and, hence its test inputs. 

This combination offers a highly scalable approach to software security, automating complex testing processes and freeing human resources for more senior-level analysis. We recently released CI Spark, an LLM-powered AI-assistant that allows exactly this.

The SDLC of the future

As we move forward and technologies like AI become more commonly used in the SDLC, it'll bring new challenges with it. 

What is clear is that the potential risks associated with the use of AI code tool, coupled with those of open-source and API technologies, mean that we must adapt to ensure that both human and AI-generated code is fully secure by implementing more robust, scalable, and innovative testing methods.

Therefore, integrating  AI-powered white-box testing is an essential step, providing the means to ensure that both human and AI-generated code is secure before shipping.

The AI era will create a promising future for software development, both in coding and in testing. Given human supervision, it is a path that promises to enhance the efficiency, security, and quality of software for years to come.

Every software is different, so there's no single solution that works for everything. Therefore, it is important to use a mix of AI methods at each process step to get the best results. 

If you want to see AI-powered software testing in action, contact us, and we’ll be happy to do a product demo. Note that we currently support C/C++ projects only.