Artificial intelligence manages traffic flows and production, makes medical diagnoses, and composes music. In digital security, AI is an entirely separate field: smart tools help developers not only write but also verify code, detect hacker attacks, and generally reduce the routine workload of information security specialists. But will the industry only benefit from using AI, or does the technology also introduce new risks? This was the question taken up by participants in the discussion session Secure Development Without AI Illusions: What Really Works in Business? – held as part of the Security UP: Security Starts with Code awards, organized by the FinTech Association, Solar Group, and the FinDevSecOps community.
Defensive or offensive?
The number of cyberattacks is growing worldwide every year, and it is widely believed that artificial intelligence tools will reduce the severity of the problem. AI solutions do make it easier to identify vulnerabilities, analyze large datasets, and respond to incidents faster than humans. However, artificial intelligence can also become an information security threat – and even a means of attack.
For example, attackers can use AI in the preparation phase of cyberattacks – leveraging smart algorithms to quickly compile dossiers on target companies, more easily find compromised passwords and tokens online, and analyze CTO presentations.
“Soon, a hacker will have a folder on any company they want to hack,” predicts Viktor Bobylkov, Director of Cybersecurity at MTS Web Services.
AI’s ability to uncover hidden vulnerabilities also carries consequences. An IT infrastructure may contain thousands of vulnerabilities, each theoretically exploitable. Who ends up with the detection tools remains an open question. For instance, the new language model Claude Mythos Preview autonomously finds and exploits previously unknown vulnerabilities in popular operating systems, browsers, and cryptographic libraries.
“This poses a fundamental risk to the entire industry of information security. We used to fear quantum computing, but that now looks like ‘child’s play,’” explains Sergei Demidov, Deputy Chairman of the Board for Information Security at the Moscow Exchange.
Keep an eye on vibe coder
AI is heavily used in software development: over 90% of developers in the United States use AI tools daily.
“AI writes code well – and a lot of it. It can also review code and find vulnerabilities. Static analysis tools for vulnerability detection may soon be completely replaced by AI,” notes Viktor Bobylkov.
However, this trend also creates new information security challenges – there is no guarantee that AI-generated code will be error-free.
“When developers write code with AI, new patterns and vulnerabilities emerge that standard scanners might not immediately detect,” explains Fyodor Gerasimov, DevSecOps Tech Lead at T1 Holding.
To mitigate such risks, additional analysis is required, says the expert. Moreover, security processes need to be restructured, requiring qualified specialists with AI expertise.
Final decision is up to humans
AI can certainly make many tasks easier and faster. Still, it’s important to remember that AI is essentially an ideal executor of tasks.
“AI is a tool that must be used correctly. You need to know its strengths and weaknesses and understand its limitations – what it can and cannot do,” says Yuri Shabalin, Senior Director of AI Technology Development at Swordfish Security Group.
AI can certainly be integrated into application security analyzers to optimize and simplify operations. But the final decision on what qualifies as a vulnerability always rests with a human, notes Vladimir Vysotsky, Head of Business Development for Solar appScreener software.
“A human always makes the final call. Classic SAST analysis should always validate the SAST analysis performed by AI. Because AI is something you’d better double-check,” Vysotsky clarifies.
Will AI cut costs?
AI adoption is often linked to potential cost reductions, including staff cuts as “smart” algorithms replace human roles. However, it’s too early to talk about savings from AI solutions – in fact, their use may lead to additional expenses for businesses. For example, the annual payroll for a secure development team alone runs into tens of millions of rubles, and integrating specialized AI tools only adds costs.
“Many CFOs are surprised that costs rise with AI adoption. Developers still draw salaries, you pay for AI subscriptions, and then developers consume AI tokens (internal currency for neural network queries) – and they consume a lot. Such a developer ends up costing the company even more than before AI was introduced,” notes Viktor Bobylkov.
AI hasn’t yet led to workforce reductions either. The rise of vibe coding and increased code volume raises the need to hire more people – additional AppSec specialists.
“The question is where to find these people and how much they will cost,” notes Vladimir Vysotsky.
“The fundamental problem with AI adoption globally is that real monetary savings aren’t happening. It seems AI’s efficiency can’t yet be measured in money – only in emotions,” concludes Sergei Demidov.