By Chris Shull, CISO
Over the past few weeks, the Artificial Intelligence (AI), called ChatGPT from OpenAI, has captured many headlines, ranging from wonder to panic. Central to the panic is the idea that knowledge workers would be put out of work and students would use ChatGPT to do their homework and take their exams.
I wondered if it might help me get started writing an article about an Information Security topic. So, when I needed to write an article for the Enterprise Applications team, I logged in to ChatGPT and gave it the following prompt:
“In approximately 700 words describe the history of software engineering information security, the movement to shift security “left” into full software development lifecycle, and the need for Security-by-Design and Privacy-by-Design, written for software engineers and architects.”
In less than a minute, ChatGPT obliged me with the following first draft:
The field of software engineering information security has evolved significantly over the past few decades, as the increasing reliance on technology in our daily lives has made protecting sensitive information from malicious actors more critical than ever.
In the early days of software development, security was often an afterthought, with developers focusing primarily on building functional software and only addressing security concerns later in the development process. This approach, known as “security as an afterthought,” often resulted in vulnerabilities and security breaches that could have been prevented if security considerations had been incorporated earlier in the development process.
To address this problem, the industry began to shift towards a more proactive approach to security, known as “security by design” or “shift left.” This approach emphasizes the importance of incorporating security considerations throughout the entire software development lifecycle, from design and development to testing and deployment.
One key aspect of security by design is the use of secure coding practices, which help to ensure that software is written in a way that is resistant to common attack methods. This includes using secure libraries and frameworks, implementing input validation, and avoiding the use of hard-coded credentials.
Another important aspect of security by design is the use of threat modeling, which helps developers to identify and mitigate potential security risks early in the development process. This involves identifying potential threats to the system, such as unauthorized access or data breaches, and then taking steps to reduce or eliminate those risks.
In addition to security by design, there is also a growing emphasis on privacy by design, which focuses on protecting the privacy of individuals whose data is collected, used, and stored by software systems. This includes implementing data minimization, access controls, and data encryption to protect personal information from unauthorized access or misuse.
As software systems become more complex and interconnected, the need for security and privacy by design becomes even more critical. This is particularly true in the context of cloud computing, the Internet of Things, and other emerging technologies, which introduce new security and privacy risks that must be addressed through a comprehensive and proactive approach.
In summary, the history of software engineering information security has evolved from being an afterthought to a proactive approach, “security by design” and “privacy by design” is becoming a must-have for software engineers and architects to ensure the security and privacy of the software they are building and maintaining. Incorporating security and privacy considerations throughout the entire software development lifecycle is crucial to prevent vulnerabilities and breaches, and protecting sensitive information and personal data.
I found this draft to be pretty darn good. But it wasn’t quite in my usual voice, and it was missing any specific relevance to a WashU audience. I also hadn’t asked it to mention the core pillars of information security or itemize security principles. I was impressed that it mentioned secure coding principles without being prompted, but I thought we should be more specific and provide credit to OWASP and a link to their relevant quick reference guide.
All told, I think I saved a little time by using ChatGPT, especially for some of the broader statements, but I spent so much time editing things to be the way I wanted them I’m not sure I’ll use it again.