Source Code Risks and Risk Mitigation With Guardrail Code Analyzer™

Written By Larry Bridgesmith J.D.

As innovation accelerates, technology is fast becoming integrated into just about every aspect of business and society. Because of this rapid advancement, there is an imminent need to balance innovation and regulation and establish a standard to approach technologies’ building blocks in your organization.  This is AKA “source code”.

Source code is at the root of all digitized processes.  Source code[i] is what software and digitized business processes are built on. All software, from applications to computer operating systems, is created using a common language developers can understand.  In addition, AI has both source code and algorithms are trained on intellectual properties that must be protected. Security, integrity, and trust are already critical concerns regarding technology and now AI.

Open source-code is a type of source code which is available to the public under varying license terms which typically provide the code for free but abdicate any responsibility.  Open-source code enables developers and programmers to work quickly, customizing applications for specific uses based on existing code. Use cases could include modifying an application to be compatible with a particular operating system or tailoring it to a specific user purpose, such as creating custom software for businesses.

Here are some recent stats on open-source code:

  • 90% of developers use open-source code in their applications.

  • 96% of all applications have at least one open-source component.

  • 78% of businesses use open-source software.

 

Using open-source code reduces the cost and complexity of building applications and gives companies a competitive advantage as they can achieve their objectives faster. Though 80% of today’s applications are built on open-source code, it’s also the weakest link. Open-source software is offered “as is,” so developers and users assume the risk.

Ongoing maintenance and security of open-source dependencies are critical, as a lack of oversight in these areas could result in data breaches, compliance issues, and system compromise. Known vulnerabilities in open-source code could be exploited by malicious actors, endangering the confidentiality, integrity, and stability of the software and any data connected to it.

As you can imagine, these are also critical concerns with AI. Generative AI is trained on publicly available and proprietary code, potentially exposing organizations to considerable risk of security, privacy and copyright infringement or license violations when building new software on top of these models.

Several different categories of technical risk can occur via source code.

  • Internally developed software built on open-source code can present myriad risks due to aggressive deadlines, lack of oversight, cost restrictions, team members leaving mid-project, or inadequate project management. Third-party oversight is recommended to ensure adequate guardrails and to keep projects within scope.

  • Third-party libraries and APIs are essential to AI functionality. Should library versions be outdated or have vulnerabilities, they can be a significant risk of compromise. Libraries and APIs should be from a reliable source, have clear documentation, and have a regular update cycle. Third-party data privacy policies must also comply with laws you are subject to, ideally, with the most stringent global policies to ensure future-proofing.

  • Data sets used to train AI are massive and can be structured (spreadsheets, CRMs, ERPs, etc.), unstructured (emails, social posts, photos, videos, etc.), semi-structured, or streaming (real-time data from stock prices, social streams, IoT devices, etc.). The risk of training on such large datasets is that it may result in societal biases, profiling, or inaccuracies in credit scoring, policing, and so on.[ii]

  • Algorithms can increase risk at scale, amplifying flawed logic and bias rooted in coding errors or incorrect assumptions derived from training data. Outputs should be continuously monitored to ensure such issues do not increase.

 

How Can You Know the Components of Your Source Code?

Knowing the components of source code is not just the realm of developers. Company leaders and the board must be aware of organizational risk, especially regarding its software infrastructure.

Source code components include the code and its interdependencies, such as the third-party frameworks, data, and tools it needs to operate.

A software bill of materials (SBOM)[iii] is an essential software inventory detailing its components and tracking changes in real time to alert stakeholders to any changes or areas of concern.

You might think of an SBOM as a dynamic RDA label that updates every time a company changes a product formulation. The SBOM provides essential visibility into each software component and will detect vulnerabilities during the development phase and throughout the software lifecycle.

The SBOM will illuminate:

  • Individual components (ingredients) of software

  • Where those components come from

  • License information for each component

  • Vulnerability concerns for each component

  • Vulnerability concerns for the hardware components run on

With this information, leaders will know which aspects of the software require oversight and maintenance and how the software components align with compliance concerns. SBOMs and related management tools help software developers determine component risk and ensure the software is secure and free of vulnerabilities.

 

What does this mean in practice?  Our Guardrail Code Analyzer™ consists of a variety of modules designed to be flexibly deployed to mitigate the risks specific to your usage of AI and source code.  The modules provide data about your source code ingredients, the potential risks and where code elements may have come from.  We enable this process by collecting, analyzing, and presenting information to humans such that they can make informed decisions about the risk you face.

Categorizing Source Code Risk

Categories of technical risk related to source code include cyber risks (confidentiality, integrity, and availability), data risks, privacy risks, reliability, and safety.

 

Cyber Risks

Open-source means anyone has access. Excessive access provides malicious actors with opportunities to manipulate code to their advantage.

Data Risks

Data integrity, or lack thereof, can increase the risk of non-compliance due to untracked dependencies or undetected vulnerabilities.

Privacy Risks

Any unmaintained code component may expose company or customer data, putting intellectual property and trade secrets at risk.

Reliability

Frequent changes to source code and lack of adequate documentation can introduce vulnerabilities and bugs, resulting in unstable and unreliable software.

Safety

Vulnerable source code can lead to significant and far-reaching damage if confidential information is exposed, posing safety issues for users, organizations, and society.

[i] https://www.techtarget.com/searchapparchitecture/definition/source-code

[ii] https://www.mckinsey.com/featured-insights/artificial-intelligence/tackling-bias-in-artificial-intelligence-and-in-humans

[iii] https://media.defense.gov/2023/Dec/14/2003359097/-1/-1/0/CSI-SCRM-SBOM-MANAGEMENT.PDF

Larry Bridgesmith J.D.

Executive Director Guardrail Technologies and Associate Professor Vanderbilt Law School

Larry brings consulting and training at the level of the Internet through emerging technologies such as blockchain, smart contracts, artificial intelligence, cryptocurrency and interoperable functionality.

LinkedIn Profile

https://www.linkedin.com/in/larrybridgesmith/
Previous

Crisis Communication and Management: Key Principles and Practices
Next

AI Regulatory Developments: What You Need to Know, What to Do, and the Risks of Non-Compliance