CLOUD SECURITY LAB

πŸ€– In the Era of AI-Generated Code, Who is Responsible for Security? β€” The Shadow of No-Code Development

β€”

by

cslab
in

“I asked the AI to do it, and it worked well.”

Did you know that a password was hardcoded into that very code?

🎯 What this article covers

  • Security mistakes inadvertently made when developing with AI Agents
  • Structural risks of no-code and non-developer development
  • Why hardcoded secrets are critical (including real-world examples)
  • Will AI’s further advancement automatically solve this problem?
  • Realistic reflections and responses we need to make right now

πŸ“Œ Introduction / Background β€” “Isn’t it fine as long as it works?”

The development environment is changing rapidly these days. ChatGPT, Claude, Cursor, GitHub Copilot… we’ve entered an era where you can tell an AI, “Make this for me,” and plausible code appears in an instant.

Thanks to this, many things have become possible. Planners can create prototypes directly, marketers can configure data pipelines, and designers can integrate APIs. The phrase “an era where even non-developers can develop” has become a reality, not just a slogan.

But there’s a problem.

AI does write code well. However, AI does not automatically take care of security. Or, to be precise β€” it won’t take care of it unless you ask.

# AI-generated code without much thought
import openai

client = openai.OpenAI(api_key="sk-proj-xxxxxxxxxxxxxxxxxxxxxxxx")  # 😱

response = client.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": "μ•ˆλ…•"}]
)

It only takes a few minutes for code like this to be uploaded to GitHub. And the time it takes for this API key to be stolen is… much shorter.

πŸ” Why doesn’t AI handle security?

AI’s primary goal is to “make what was requested work.” If a user asks, “Write code to upload a file to AWS S3,” it will first provide the fastest working code.

If you don’t also ask for security best practices, AI will naturally embed the Access Key directly into the code.

🧩 What is Hardcoding?

Hardcoding is the act of writing values directly into the code. From a security perspective, it’s particularly problematic when secret information is written directly into the code:
Things that should not be hardcoded Why it’s dangerous
API Keys (OpenAI, Stripe, AWS, etc.) Exposed globally when uploaded to GitHub
DB Passwords DB access possible just by sharing code
JWT Secret Token forgery possible
Cloud IAM Credentials Risk of full cloud privilege escalation
OAuth Client Secret Service impersonation possible

In fact, between 2023 and 2024, millions of secret exposures were reported on GitHub. A significant portion of these were cases where “AI-generated code was simply uploaded.”

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *