Getting Started with AI development

AI-powered development involves using Large Language Models (LLMs) to assist in writing, debugging, and documenting code. These models aren't "thinking" in the human sense; they are sophisticated next-token predictors. They have been trained on trillions of lines of public code, documentation, and technical forums.

When you provide a prompt, the model breaks your text into small chunks called tokens (which can be words, characters, or sub-words). It then uses complex probability math to determine which token is most likely to come next based on the patterns it learned during training.

In this lesson, you will gain a foundational understanding of what AI assistants are, how they are integrated into the tools you already use, like your IDE and CLI, and grapple with the critical shift required of the modern developer when integrating these powerful tools into their daily workflow.

Imagine Sarah, a developer building a new internal tool. She needs a quick way to let users search for logs in a database. She opens her AI assistant and provides a very simple, direct prompt:

"Write a Python function that takes a 'username' string and executes a SQL query to find all logs associated with that user."

In the terminal/IDE, the AI rapidly generates the following code:

Sarah is thrilled with how fast the code was generated and immediately integrates it into her project. However, she has just introduced a classic security flaw.

The code in the previous section is functional but contains a critical SQL Injection vulnerability. Why did the AI do this?

1. Prediction over Security: The AI predicted the most common way to write a SQL query based on its training data. Unfortunately, the internet is full of old, insecure tutorials using string formatting for queries.
2. Tokenization and Context: The AI treated username as a simple string to be inserted directly into the SQL query. It didn't understand that a malicious user could provide a string like ' OR '1'='1, which would change the logic of the entire database command.
3. The Training Gap: LLMs are trained to be helpful and give you exactly what you asked for. Because Sarah didn't ask for a secure function, the AI focused only on the logic of the request.

SQL injections are a classic vulnerability for which there is often a straightforward solution, however the rise of LLM-assisted coding has brought these back into the forefront, and threatens to make them even more common. Check out our lesson on it for more information.

If a developer relies too heavily on AI-generated code without review, the consequences can be significant. Failing to verify AI-generated code leads to AI-powered technical debt=:

• Vulnerability injection: Automatically introducing risks into your codebase at scale.
• Over-reliance: Developers may stop performing manual code reviews, assuming the AI knows best practices.
• Data poisoning: If the AI suggests an insecure library or a non-existent (hallucinated) package, you might accidentally pull malicious code into your environment.

The modern developer's goal is to treat AI-generated code as they would treat any code pulled from an external source: assume insecure until proven otherwise.

To make the process safer, Sarah should have taken these steps:

1. Prompt for Security: Explicitly ask the AI to include best practices.
2. Review and Test: Use the AI's output as a draft, but manually review it for security and robustness.

Here is an example of a more secure prompt that Sarah could have used:

"Write a secure Python function to query a SQL database for logs. Use parameterized queries to prevent SQL injection and ensure the database connection is closed properly using a context manager."

Keep in mind, this isn’t the only security measure that should be taken. And here is the code produced:

Stick around for the next lesson, which will drive deeper into how to responsibly craft LLM prompts, the first step in the process of responsibly harnessing the power of AI in your development flow.

For more information and some of the latest industry updates, check out our blog:

• Snyk Unveils ‘Secure At Inception’: A Breakthrough for AI Coding Assistants and AI-Native Development
• AI Code Generation - Benefits and Risks

Plus, if you want to know more about SQL injection specifically, take our lesson here:

• Introduction to SQL Injection