Saltzer & Schroeder for 2030: Security engineering principles in a world of AI

TL;DR

This paper examines how traditional security design principles by Saltzer & Schroeder can be adapted to ensure security-by-design in a future where AI-generated code becomes prevalent, emphasizing the evolving role of security engineering.

Contribution

It analyzes the impact of AI tools on security practices and proposes adaptations of classic security principles for AI-driven code development environments.

Findings

AI-generated code raises new security challenges

Traditional security principles need to evolve for AI contexts

Security-by-design is crucial in AI-assisted development

Abstract

Writing secure code is challenging and so it is expected that, following the release of code-generative AI tools, such as ChatGPT and GitHub Copilot, developers will use these tools to perform security tasks and use security APIs. However, is the code generated by ChatGPT secure? How would the everyday software or security engineer be able to tell? As we approach the next decade we expect a greater adoption of code-generative AI tools and to see developers use them to write secure code. In preparation for this, we need to ensure security-by-design. In this paper, we look back in time to Saltzer & Schroeder's security design principles as they will need to evolve and adapt to the challenges that come with a world of AI-generated code.