If your developers are using ChatGPT as a coding assistant, what are you doing to prevent devs from leaking corporate secrets to it?

Security & GRCSoftware Development
1.1k viewscircle icon2 Upvotescircle icon2 Comments
Sort by:
Director Global Network / Security Architecture and Automation in Finance (non-banking)3 years ago

End user / developer training and DLP controls. Chat GPT can not come up with code ideas but it can write code based on requirements. That means unless the entire app is written in one query it's not placing data that could hurt intellectual property.
Like every new online tool it needs to be secured but we should make the security into an obstacle course.

Co-Founder in Services (non-Government)3 years ago

First we need to define secrets, basically we need to do data classification in the company, Second,  if they using the web option, then network DLP ( swg  casb,sse) should do the trick (if configured correctly)..if they using API i will need to do a research on options. Could be end point dlp, but its a different problem:)

Content you might like

What are your biggest obstacles to Passwordless authentication adoption at your organization?

Migration from existing MFA35%

App coverage/integration57%

Security Concerns58%

End user education/awareness26%

Other (please comment below)4%

View Results

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

Read More Comments

Which of the following measures do you have in place to safeguard against ransomware attacks?

Cyber insurance with ransomware coverage31%

Law enforcement contact(s)41%

Ransomware response plan57%

Ransomware task force/team39%

Bitcoin account for ransomware payments12%

Disaster recovery site27%

Other (comment below)1%

View Results

Seeking input: Has anyone drafted an SOW for a cloud-based SIEM with setup, migration, and maintenance? I’m working on a FedRAMP-authorized SIEM SOW, migrating from on-prem Splunk, covering data, searches, alerts, dashboards, and models. 
Scope includes Environment Setup: 
Cloud provisioning, configuration, testing.
Connectors/Parsers: Custom data source integration.
Content Development: Rules, use cases, threat feeds.
Performance Tuning: Query/index optimization.
Runbooks: Operational procedures.

Also required: 24x7 support, maintenance, lifecycle and application management, role-based training, and documentation. 
Must comply with NIST SP 800-53, CJIS, and FedRAMP Moderate+. Goal: Secure, scalable SIEM for rapid deployment. I may be missing elements, so suggestions are welcome. Please share redacted SOWs or tips if possible.

Do you manage AI and traditional IT infrastructure investments as separate portfolios (budgets, governance and decision criteria) or do you combine them? What are the benefits and drawbacks of your approach?

Read More Comments