AI coding assistants can help developers move incredibly fast. But this new speed comes with a new challenge: security drift.

This episode is sponsored by Maze.

In this episode of DevSec Station, Tanya Janca explores how tools like GitHub Copilot, ChatGPT, Cursor, and other AI coding assistants can unintentionally change the security assumptions your software was built on. You'll learn what security drift is, why it happens so quietly, and how to keep the benefits of AI-assisted development without letting important security controls slowly disappear.

You'll learn:
• what security drift is and why it matters
• how AI-generated code can subtly change security assumptions
• why confidence and correctness are not the same thing
• how security controls disappear during seemingly harmless refactors
• practical ways to add guardrails to AI-assisted development workflows

Tanya walks through a realistic example of how authentication checks, input validation, and logging can slowly weaken over time as AI-generated code evolves through multiple edits and refactors. The code still works, the tests still pass, but the security posture is no longer what the team originally intended.

One practical action from this episode:

Choose one security-sensitive area where AI generates code for you, such as authentication, authorization, input validation, or secrets handling.

Then:
• identify a known-good secure implementation
• require AI-generated code to follow that pattern
• add a review step or checklist item
• automate enforcement where possible using tests, linters, static analysis, prompts, or a RAG server

The goal isn't to slow down or ban AI. It's to prevent AI from making security decisions on your behalf.

DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software.

Follow Tanya:

This episode is sponsored by Maze.
One of the biggest problems in security right now is that every vulnerability scanner says everything is critical, and honestly, no one has time for that.

Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary.

Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now.

Learn more about Maze https://mazehq.com/devsec

Podden och tillhörande omslagsbild på den här sidan tillhör Tanya Janca | SheHacksPurple. Innehållet i podden är skapat av Tanya Janca | SheHacksPurple och inte av, eller tillsammans med, Poddtoppen.