New security-related updates to Amazon CodeWhisperer could play a key role in simplifying the age-old struggle of shifting left, according to a senior AWS figure.
Doug Seven, general manager for Amazon CodeWhisperer told ITPro that recent updates provide vital new features to help weed out potential vulnerabilities, simplify development processes, and supercharge productivity.
AWS unveiled a host of new features for the AI coding assistant at its annual re:Invent conference in Las Vegas this week. Among these was a new AI-powered code remediation feature that automatically highlights hard-to-find vulnerabilities that frequently evade built-in security scans.
Seven said the inclusion of scanning features separates CodeWhisperer from industry counterparts, making it a standalone in the sense that it provides built-in security scanning.
The scanning feature itself is based on functionalities in CodeGuru Security, an existing code review tool already offered by AWS.
“I think this is huge for developers in the sense that we're the only code generation tool like this that incorporates security scanning as a core feature,” he said.
“Most of the products would be a separate product that you would use in conjunction with what you’re doing. So that’s really critical.”
“If we can identify these security vulnerabilities and give you a one-click-fix to remediate them, then the artifact that you should be seeing is the number of security issues you have going down because they’re so easy to fix.”
Seven added that the overall number of security issues devs can expect to encounter will also reduce throughout the lifecycle as they’re now more easily identifiable.
Shifting left at pace
Shifting left, the process by which testing for vulnerabilities and flaws in code occurs earlier in the development lifecycle, has long been championed as a vital approach to avoid future headaches.
Seven noted that the latest updates to CodeWhisperer could help simplify this process. The inclusion of these new features forms part of a concerted effort at AWS to provide developers with “responsible AI” tools to improve productivity.
“This is an early position we took when we started building CodeWhisperer, that we need to not just build a tool that generates code, but we need to do so in a very responsible way,” he said.
Another key feature that plays a critical role is the use of a reference tracker, he added, which provides the user with insights on whether they’re using open source code.
Fundamentally, this is all about “generating good code” and creating a collaborative synergy between the tool itself and the developer.
“The way to think about the security scanning capability is that CodeWhisperer is going to take your input context and generate code,” he explained.
“And we do a lot of work to make sure that the code that we're generating is good code, we do a lot of program analysis, we do a lot of work on the data training and things like that to make sure that what we're outputting is good code.
“As soon as that code and a developer meet, we don't know what happens. So what we wanted to do was make sure that we had put the tools in the developers' hands to ensure that the result of that collaboration is good.”
Caution advised
While comments around “one-click-fixes” do highlight the simplicity of CodeWhisperer in its current state, Seven was keen to emphasize that this shouldn’t be viewed as a silver bullet for automating DevSecOps processes.
Human involvement is still vital, and he urged caution.
“I think it is an important thing, but I think the key is to understand that it doesn’t replace other means of doing the same thing in the [DevOps] process,” he said.
“As we shift left, we are giving the developer the ability to identify, find, and fix these issues before the code leaves their environment. But that doesn’t replace having those security checks in your pipeline already.
“The hope is that those pipelines don’t get slowed down because the issues are found earlier. As with any kind of issue, the earlier in the process you can find it, the faster the rest of the process will go.”
