Disclosure: Some links in this article are affiliate links.
We may earn a commission at no extra cost to you if you purchase through them.
Netlify CTO Dana Lawson: Writing Code Is No Longer the Job — A Practical Guide to Evolving Your Developer Role
How AI-Assisted Development Is Reshaping Software Testing and Security Practices
Why This Matters
In a recent industry-shifting statement, Netlify CTO Dana Lawson declared that "writing code is no longer the job." This isn't hyperbole—it's a recognition that the fundamental nature of software development is transforming before our eyes. As AI coding assistants become increasingly sophisticated, the value developers provide is rapidly shifting from syntax production to architectural thinking, quality assurance, and security oversight.
For software testing and security professionals, this paradigm shift presents both unprecedented opportunities and significant risks. When AI can generate thousands of lines of code in minutes, the bottleneck moves squarely to validation, testing, and security verification. The developers who thrive in this new landscape won't be those who type the fastest—they'll be those who can effectively orchestrate AI tools while maintaining rigorous quality and security standards.
This guide provides a concrete, actionable framework for adapting your workflow to this new reality. You'll learn how to leverage AI for code generation while implementing robust testing and security practices that protect against the unique vulnerabilities AI-generated code can introduce.
Prerequisites
Before implementing this workflow transformation, ensure you have: Technical Requirements:
- Node.js 18+ or Python 3.10+ installed
- Git version control configured
- A Netlify account (free tier works for learning)
- Access to an AI coding assistant (GitHub Copilot, Claude, or Cursor)
- A code editor with AI integration capabilities Knowledge Requirements:
- Basic understanding of CI/CD pipelines
- Familiarity with unit testing concepts
- General awareness of OWASP Top 10 vulnerabilities
- Experience deploying applications to cloud platforms Mindset Requirements:
- Willingness to shift from "code writer" to "code curator"
- Acceptance that AI output requires verification, not blind trust
- Commitment to security-first thinking
Step-by-Step Instructions
Step 1: Establish Your AI-Assisted Development Environment
First, configure your development environment to support the new workflow where AI generates code and you validate it.
Create a new project structure that separates AI-generated code from human-verified code:
mkdir ai-assisted-project && cd ai-assisted-project
npm init -y
# Create directory structure
mkdir -p src/{generated,verified} tests/{unit,security,integration} .ai-context
Create an AI context file that will guide all AI interactions:
.ai-context/project-rules.yamlproject_name: "AI-Assisted Secure Application"
security_requirements:
- All user input must be sanitized
- No secrets in code
- All API endpoints require authentication
- SQL queries must use parameterized statements
testing_requirements:
- Minimum 80% code coverage
- All public functions require unit tests
- Security tests for all input handlers
code_style:
- Use TypeScript strict mode
- Prefer immutable data structures
- All functions must have JSDoc comments
Step 2: Implement the "Generate-Validate-Secure" Workflow
The core of Lawson's insight is that developers now orchestrate rather than produce. Here's how to implement this:
// src/generated/user-service.js
// AI-GENERATED: Requires human review before moving to verified/
/**
* User authentication service
* Generated by: AI Assistant
* Review status: PENDING
* Security scan: PENDING
*/
class UserService {
constructor(database) {
this.db = database;
}
async authenticateUser(email, password) {
// AI generated this - needs security review
const user = await this.db.query(
'SELECT * FROM users WHERE email = ? AND password = ?',
[email, password]
);
return user;
}
async createUser(userData) {
const { email, password, name } = userData;
return await this.db.insert('users', { email, password, name });
}
}
module.exports = UserService;
Now create the validation script that must run before any AI code moves to production:
// scripts/validate-ai-code.js
const fs = require('fs');
const path = require('path');
class AICodeValidator {
constructor() {
this.securityPatterns = [
{
pattern: /password\s*=\s*['"][^'"]+['"]/gi,
severity: 'CRITICAL',
message: 'Hardcoded password detected'
},
{
pattern: /eval\s*\(/gi,
severity: 'HIGH',
message: 'Dangerous eval() usage detected'
},
{
pattern: /innerHTML\s*=/gi,
severity: 'MEDIUM',
message: 'Potential XSS vulnerability with innerHTML'
},
{
pattern: /SELECT\s+\*\s+FROM.*\+/gi,
severity: 'CRITICAL',
message: 'Potential SQL injection - string concatenation in query'
}
];
}
async validateFile(filePath) {
const content = fs.readFileSync(filePath, 'utf8');
const issues = [];
for (const check of this.securityPatterns) {
if (check.pattern.test(content)) {
issues.push({
file: filePath,
severity: check.severity,
message: check.message
});
}
}
return {
file: filePath,
passed: issues.length === 0,
issues
};
}
async validateDirectory(dirPath) {
const results = [];
const files = fs.readdirSync(dirPath, { recursive: true });
for (const file of files) {
if (file.endsWith('.js') || file.endsWith('.ts')) {
const result = await this.validateFile(path.join(dirPath, file));
results.push(result);
}
}
return results;
}
}
// Run validation
const validator = new AICodeValidator();
validator.validateDirectory('./src/generated').then(results => {
const failures = results.filter(r => !r.passed);
if (failures.length > 0) {
console.error('❌ AI Code Validation Failed:');
failures.forEach(f => {
f.issues.forEach(i => {
console.error(` [${i.severity}] ${i.file}: ${i.message}`);
});
});
process.exit(1);
}
console.log('✅ AI Code Validation Passed');
});
Step 3: Integrate Automated Security Testing
Create a comprehensive security testing suite using Snyk or OWASP ZAP:
// tests/security/ai-code-security.test.js
const { execSync } = require('child_process');
describe('AI-Generated Code Security Tests', () => {
test('should not contain known vulnerable dependencies', () => {
// Using Snyk for dependency scanning
try {
execSync('npx snyk test --severity-threshold=high', {
encoding: 'utf8'
});
} catch (error) {
throw new Error(`Vulnerable dependencies found: ${error.stdout}`);
}
});
test('should pass static security analysis', () => {
// Using semgrep for SAST
const result = execSync(
'npx @semgrep/semgrep --config=auto src/generated/',
{ encoding: 'utf8' }
);
expect(result).not.toContain('error');
});
test('authentication functions should use secure password handling', () => {
const UserService = require('../../src/generated/user-service');
// Verify password is never stored in plain text
const serviceCode = UserService.toString();
expect(serviceCode).not.toMatch(/password\s*=\s*userData\.password/);
});
});
Step 4: Configure Netlify for Secure AI-Code Deployment
Create a Netlify configuration that enforces security gates:
netlify.toml[build]
command = "npm run build:secure"
publish = "dist"
[build.environment]
NODE_VERSION = "18"
AI_CODE_VALIDATION = "strict"
# Security headers
[[headers]]
for = "/*"
[headers.values]
X-Frame-Options = "DENY"
X-Content-Type-Options = "nosniff"
X-XSS-Protection = "1; mode=block"
Content-Security-Policy = "default-src 'self'"
# Build plugins for security
[[plugins]]
package = "@netlify/plugin-lighthouse"
[plugins.inputs]
fail_deploy_on_score_thresholds = "true"
Create the secure build script:
{
"scripts": {
"validate:ai": "node scripts/validate-ai-code.js",
"test:security": "jest tests/security/",
"test:unit": "jest tests/unit/",
"audit": "npm audit --audit-level=high",
"build:secure": "npm run validate:ai && npm run audit && npm run test:security && npm run test:unit && npm run build"
}
}
Step 5: Implement Continuous Monitoring for AI-Generated Code
// scripts/monitor-ai-drift.js
/**
* Monitors AI-generated code for behavioral drift
* Runs in production to detect anomalies
*/
class AICodeMonitor {
constructor(metrics) {
this.metrics = metrics;
this.baselinePatterns = new Map();
}
recordBaseline(functionName, expectedBehavior) {
this.baselinePatterns.set(functionName, {
avgExecutionTime: expectedBehavior.avgExecutionTime,
expectedOutputPattern: expectedBehavior.outputPattern,
errorRate: expectedBehavior.errorRate
});
}
async monitor(functionName, execution) {
const baseline = this.baselinePatterns.get(functionName);
if (!baseline) {
console.warn(`No baseline for ${functionName}`);
return;
}
const start = Date.now();
try {
const result = await execution();
const duration = Date.now() - start;
// Check for anomalies
if (duration > baseline.avgExecutionTime * 2) {
this.metrics.emit('ai-code-anomaly', {
type: 'performance-degradation',
function: functionName,
expected: baseline.avgExecutionTime,
actual: duration
});
}
return result;
} catch (error) {
this.metrics.emit('ai-code-error', {
function: functionName,
error: error.message
});
throw error;
}
}
}
module.exports = AICodeMonitor;
Common Pitfalls & How to Avoid Them
Pitfall 1: Trusting AI Output Without Verification
The Problem: AI assistants generate plausible-looking code that may contain subtle security flaws or logical errors. The Solution: Implement mandatory code review gates. Never deploy AI-generated code directly to production. Use SonarQube for automated quality gates.Pitfall 2: Losing Context Between AI Sessions
The Problem: AI doesn't remember previous conversations, leading to inconsistent code patterns. The Solution: Maintain comprehensive context files (like the.ai-context/ directory above) and always include relevant context in your prompts.
Pitfall 3: Over-Reliance on AI for Security Decisions
The Problem: AI may suggest "secure" code that doesn't meet your specific compliance requirements. The Solution: Maintain a human-authored security requirements document and validate all AI security implementations against it using Checkov or similar policy-as-code tools.Pitfall 4: Neglecting Test Coverage for AI Code
The Problem: Assuming AI-generated code works correctly without comprehensive testing. The Solution: Require higher test coverage thresholds (90%+) for AI-generated code compared to human-written code. Use Istanbul for coverage reporting.Real-World Example / Code Walkthrough
Let's walk through a complete example of the new workflow, building a secure API endpoint: Step 1: Define Requirements in Context File
.ai-context/api-requirements.yamlendpoint: /api/users/:id
method: GET
security:
- Requires JWT authentication
- Rate limited to 100 requests/minute
- Must sanitize user ID parameter
- Log all access attempts
Step 2: Generate Code with AI
Prompt your AI assistant with the context file, receiving:
// src/generated/api/users.js
// AI-GENERATED: Review Required
const jwt = require('jsonwebtoken');
const rateLimit = require('express-rate-limit');
const { sanitizeInput } = require('../utils/sanitize');
const limiter = rateLimit({
windowMs: 60 * 1000,
max: 100
});
async function getUserById(req, res) {
try {
const userId = sanitizeInput(req.params.id);
// Log access attempt
console.log(`User access attempt: ${userId} at ${new Date().toISOString()}`);
const user = await db.users.findById(userId);
if (!user) {
return res.status(404).json({ error: 'User not found' });
}
// Remove sensitive fields
const { password, ...safeUser } = user;
res.json(safeUser);
} catch (error) {
res.status(500).json({ error: 'Internal server error' });
}
}
module.exports = { getUserById, limiter };
npm run validate:ai
# ✅ Security patterns check passed
# ⚠️ Warning: Consider using structured logging instead of console.log
npm run test:security
# ✅ All security tests passed
After automated checks pass, perform manual review focusing on business logic correctness and move to verified:
mv src/generated/api/users.js src/verified/api/users.js
git add . && git commit -m "Verified: User API endpoint - human reviewed"
Summary & Next Steps
Dana Lawson's observation that "writing code is no longer the job" isn't a prediction—it's our current reality. The developers who succeed in this new paradigm will be those who master the art of AI orchestration while maintaining unwavering commitment to quality and security. Key Takeaways:
The transition from code writer to code curator is not a diminishment of the developer role—it