During her keynote at QCon London, Tracy Bannon, senior principal/software architect and researcher at MITRE, argued that AI will be able to enhance the software development lifecycle (SDLC), though currently it’s at the "code completion" rather than "code generation" phase. Throughout her presentation, she continuously stresses the importance of keeping humans in the loop and fixing your company’s SDLC before embracing AI.
Bannon started by comparing the adoption of generative AI in software development with the transition from physical maps to the (now) ubiquitous navigation software. The first phase of the transition was the web-based Google Maps navigation hints printed on paper, then dedicated GPS units, and finally the current state of navigation applications incorporated in each smartphone.
She mentioned that this time she agrees with Gartner’s Hype Cycle for Emerging Technologies Report, in that we are at the peak of the AI cycle and two to five years away from reaching the plateau of productivity.
And even though there is a huge buzz all around us about the benefits and the power of generative AI ("You would expect AI to be present in supermarkets between biscuits and milk"), the technology is just a small part of the "ML Universe".
She emphasized that the work done by software architects and developers is complex, and often no "black or white" decisions can be taken. There are always tradeoffs to be considered, which points to AI only being capable of assisting in these decisions. For emphasis, she quoted industry leaders:
Grady Booch, IBM Fellow: The entire history of software engineering is one of rising levels of abstraction.
Paul Edwards, CTO @ AND Digital: Software engineers do complex work. It consists of problem-solving in a messy, non-linear environment where there is no right or wrong answer to a problem and where there are multiple trade-offs to be made.
Further, she referred to areas where AI could be used in SDLC, quoting data from Stack Overflow’s 2023 developer survey with documentation, code augmentation, debugging, code completion and test augmentation being the areas where developers tried using generative AI.
She pointed at the "elephant in the corner": now there is more code completion than code generation. And she recommended developers use one of the two: generate tests and write code, or vice-versa. But never the two, because:
The Human Needs to be Kept in The Loop, the Gen AI is like a 15-year-old with a lot of energy that sometimes makes you proud of their achievements and at points makes you ask yourself why would it do that?"
More than that, she underlined that generative AI contradicts some of the DevSecOps principles (traceability, audibility, reproducibility, explainability), stressing the issue of security. She mentioned that the code she generated with different tools broke the OWASP Web Security Principles, but also that the code you have might leave the boundaries of your organisation.
Bannon recommended fixing the SDLC in your organisation before adopting AI. She hinted that a good starting point is implementing minimum viable continuous delivery while measuring the impact in your organisation pointing at SPACE and DORA metrics (a good metric to start is the number of deployments).
In the last part of her presentation, Bannon provided a call to action to the audience inviting them to:
- Survey your organization to see if and how Al is being used
- Enable research and discovery for genAl usage
- Make cybersecurity your highest priority
- Establish reasonable guardrails
- Connect with your providers to ask about model quality and security questions
- Ask your platform providers about their Al roadmap
She encouraged the audience to ask themselves the following questions:
- How do you think the SDLC will change?
- How is your organisation preparing?
- What are you personally focusing on?
- Share your organization's story, and the lessons learned
- Explore and share new use cases and new tools
Bannon concluded her presentation by pointing out that it’s impossible to go back before we had AI ("You can’t put the genie back in the bottle") and encouraged developers to keep cybersecurity as the number one concern while moving forward with generative AI. It is still valuable to keep the human in the loop.
Access recorded QCon London talks with a Video-Only Pass.