Researchers at Stanford University have found that programmers who use the help of artificial intelligence tools such as Github Copilot create less secure code than those who write it themselves, The Register reports.
When asked if users write more insecure code with AI assistants, experts Neil Perry, Mega Srivastava, Deepak Kumar and Dan Bone answered in the affirmative.
Another thing they find is that AI assistance tends to mislead developers about the quality of their results.
“We found that participants with access to an AI assistant often created more security vulnerabilities than those without access, with particularly significant results for string encryption and SQL injection. Surprisingly, we also found that participants who were provided access to an AI assistant were more likely to believe they had written secure code than those without access to an AI assistant.”
the authors state in their paper.
That study is limited in scope because it only considers a constrained set of prompts corresponding to 25 vulnerabilities and just three programming languages – Python, C, and Verilog.
During the study, participants were asked to write code in response to five prompts using a standalone React-based Electron application, monitored by the study administrator. The first prompt was to write two Python functions, one of which encrypted and the other decrypted a string using a given symmetric key.
For that question, those relying on AI assistance were more likely to write incorrect and insecure code than the control group working without automated help. Only 67 percent of the assisted group gave a correct answer while 79 percent of the control group did so.
And those in the assisted group were more likely to provide an insecure solution and also more likely to use trivial ciphers and not conduct an authenticity check on the final returned value.
The authors state that AI assistants should be approached with more caution as they can mislead inexperienced developers and create security vulnerabilities.
In the meantime, they hope their findings will lead to improvements in the way AI assistants are designed because they have the potential to make programmers more productive.