3 minute read
Software intelligence is key to
by d2emerge
BY J E N N A SA R G E N T BA R R O N
Development teams are always on a mission to create better quality software, be more efficient, and please their users as much as possible
The introduction of AI into the development pipeline makes this possible, from software intelligence to AI-assisted development tools Both can work hand in hand to reach the same goal, but there’s a difference between software intelligence and intelligent software
AI-assisted development tools are products that use AI to do things like suggest code, automate documentation, or generally increase productivity Vincent Delaroche, founder and CEO of CAST, defines software intelligence as tools that analyze code to give you visibility into it so you can understand how the individual components work together, identify bugs or vulnerabilities, and gain visibility.
So while these intelligent software tools help you write better code, the software intelligence tools sift through that code and make sure it is as high quality as possible, and make recommendations on how to get to that point
“Custom software is seen as a big complex black box that very few people understand clearly, including the subject matter experts of a given system,” said Delaroche “When you have tens of millions of lines of code, which represent tens of thousands of individual components which all interact between each other, there is no one on the planet who can claim to be able to understand and be able to control everything in such a complex piece of technology ”
Similarly, even the smartest developer doesn’t know every possible option available to them when writing code That’s where AI-assisted development comes in, because these tools can suggest the best possible piece of code for the application.
For example, a developer could provide a piece of code to ChatGPT and ask it for better ways of writing the code.
According to Diego Lo Giudice, principal analyst at Forrester, Amazon DevOps Guru serves a similar purpose on the configuration side It uses AI to detect possible operational issues and can be used to configure your pipelines better
Lo Giudice explained that quality issues aren’t always the result of bad code; sometimes the systems around the software are not configured correctly and that can result in issues too, and these tools can help identify those problem configurations
George Apostolopoulos, head of analytics at Endor Labs, further explained the capabilities of software intelligence tools as being able to perform simple rules checks, provide counts and basic statistics like averages, and do more complex statistical analysis.
Sof tware intelligence is crucial if you’re working with dependencies
Software intelligence plays a big role not only in quality, but in security as well, solving a number of challenges with open source software (OSS) dependency
These tools can help by evaluating security practices of development, code of the dependency for vulnerable code, and code of the dependency for malicious code They use global data to identify things like typosquatting and dependency confusion attacks
“In the last few years a number of attacks exposed the potential of the software supply chain for being a very effective attack vector with tremendous force multiplying effects,” said Apostolopoulos “As a result, a new problem is to ensure that a dependency we want to introduce is not malicious, or a new version of an existing dependency does not become malicious (because its code or maintainer were compromised) or the developer does not fall victim to attacks targeting the development process like typosquatting or dependency confusion.”
When introducing new dependencies, there are a number of questions the developer needs to answer, such as which piece of code will actually solve their problem, as a start. Software intelligence tools come into play here by recommending candidates based on a number of criteria, such as popularity, activity, amount of support, and history of vulnerabilities.
Then, to actually introduce this code, more questions pop up. “The dependency tree of a modestly complex piece of software will be very large Developers need to answer questions like: do I depend on a particular dependency? What is the potentially long chain of transitive dependencies that brings it in? In how many places in my code do I need it?” said Apostolopoulos
It is also possible in large codebases to be left with unused and out-of-date dependencies as code changes “In a large codebase these are hard to find by reviewing the code, but after constructing an accurate and up to date dependency graph and call graph these can be automatically identified Some developers may be comfortable with tools automatically generating pull requests that recommend changes to their code to fix issues and in this case, software intelligence can automatically create pull requests with the proposed actions,” said Apostolopoulos.
Having a tool that automatically provides you with this visibility can really
