AI for Development
It was a great pleasure giving a guest lecture at ETH Zürich on how we use AI-enabled software development to improve the quaity of security critical software. This is a summary of the talk:
At IdentityPlane, we’ve adopted an "AI First" way of working to achieve high quality in building cloud-native security software. Our goal is simple: leverage AI to improve our code quality and enjoy the speed benefits that come with it.
Spec-Driven Development: Our Process for Quality and Speed
Our most efficient methodology is Spec-Driven Development. We treat AI as a highly engaged junior developer, but you better manually review its code at every stage. This approach accelerates development while ensuring robust quality:
- Specification Creation: We first explain the feature requirements to the AI and have it translate them into a formal specification, usually in a Markdown file.
- Interface Generation: The AI generates the initial interface code, which is then manually adjusted.
- Test Case Generation: This is where AI truly shines. We generate test cases, with the AI proving excellent at creating thorough edge cases for testing, almost like a fuzzer. This is where we believe AI helps us the most as we can generate a broader coverage of test cases compared to the manual workflow. This way we detected many potential bugs before they were added to the codebase. As most of our code is in golang we use table driven unit tests for that, but this applies to almost any other language as well in some way.
- Implementation and Refinement: We instruct the AI to generate the implementation code and automatically runs the generated test cases. In this constant feedback loop, the AI adjusts both the code and the tests until all conditions are correctly satisfied. Golang is very well suited for this thanks to the integrated tooling, as well as fast compile and executing time.
- Final Review: The developer manually reviews the final result, ensuring the code meets all standards and requirements.
To make this entire process effective the process needs to be documented. We describe our process in an AI-friendly document (an mdc file) that is automatically included by tools like Cursor. Furthermore, maintaining great documentation about the software architecture is essential, as it helps the AI better understand the existing codebase. This is an example: https://github.com/Identityplane/GoAM/blob/main/docs/internal_architecture.md
Key Takeaways for Developers and Orgs:
This new methodology has significant implications for how engineering teams operate:
- Know your tech stack or AI will lead you to the wrong paths.
- Keep features small.
- Invest into documentation for the AI agents.
- Rethink the confidentialty of your code, this slows you down.
- Just pay the licenses, it's peanuts compared to a developer salary.
- Don't overinvest into tools and processes. The industry changes fast, so let devs lead.
- Dont try out every new tool.
Gian-Luca Frei
Gian-Luca Frei is security engineer and specialist for login and authentication. He has a proven track record of securing systems with the highest security standards, including e-banking portals and health applications.
He previously spent 6 years at Zühlke as a security consultant, working in a highly international setting across Switzerland, Singapore, and Hong Kong.
Gian-Luca is also the founder and co-leader of the OWASP Application Gateway Project.
He has a keen interest in modern cryptographic protocols, and his contributions were recognized with the ISSS Excellence Award in 2019.
Our latest article
Offer Your User Secure and Easy Login Experinces?
Ready to elevate your very first user touchpoin? Contact us today and transform your business with better user experiences.
