The integration of generative AI in software organizations presents promising opportunities for automating and enhancing security activities; however, its practical impact on the security practices of software organizations and associated risks remains underexplored. This study investigates how generative AI can enhance software security practices through a multi-case study involving five software organizations. By conducting semi-structured interviews with developers and managers, we identified four security practices where generative AI can support threat assessment, security testing, operational management, and education & guidance. At the same time, we uncover sociotechnical risks that may impede adoption, including concerns about inadequate data management of AI, inaccurate output, and a lack of trust. Guided by the OWASP SAMM framework and rooted in the Gioia methodological approach, our findings are synthesized into a theoretical model of generative AI adoption impacting security practices. This model highlights both the perceived benefits and the risks organizations encounter. Our work provides insights for software organizations looking to adopt generative AI into security-related workflows and contributes a foundational understanding of how such tools are perceived in practice. The paper emphasizes the importance of balancing innovation with caution as software organizations increasingly incorporate generative AI within secure development.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Investigating Generative AI’s Impact on Software Organizations’ Security Practices: A Multi-case Study Using Gioia Methodology

  • David Kinnberg Hein

摘要

The integration of generative AI in software organizations presents promising opportunities for automating and enhancing security activities; however, its practical impact on the security practices of software organizations and associated risks remains underexplored. This study investigates how generative AI can enhance software security practices through a multi-case study involving five software organizations. By conducting semi-structured interviews with developers and managers, we identified four security practices where generative AI can support threat assessment, security testing, operational management, and education & guidance. At the same time, we uncover sociotechnical risks that may impede adoption, including concerns about inadequate data management of AI, inaccurate output, and a lack of trust. Guided by the OWASP SAMM framework and rooted in the Gioia methodological approach, our findings are synthesized into a theoretical model of generative AI adoption impacting security practices. This model highlights both the perceived benefits and the risks organizations encounter. Our work provides insights for software organizations looking to adopt generative AI into security-related workflows and contributes a foundational understanding of how such tools are perceived in practice. The paper emphasizes the importance of balancing innovation with caution as software organizations increasingly incorporate generative AI within secure development.