AND paper (opens in a new tab) A study by researchers at Stanford University discovered that developers who employed AI assistants like GitHub Copilot and Facebook InCoder were actually writing less secure code.
Moreover, such tools also give programmers a false sense of security, with many believing that by helping them they create better code.
Nearly 50 subjects, each with varying levels of expertise, were given five coding tasks in different languages, with some helped by the AI tool and others no help at all.
language games
The authors of the paper – Neil Perry, Megha Srivastava, Deepak Kumar and Dan Boneh – stated that “particularly significant results were obtained with string encryption and SQL injection.”
They also appealed previous research which showed that about 40% of programs created with GitHub Copilot contained vulnerable code, although a Further research found that developers using Large Language Models (LLMs) such as the OpenAI codex Cushman-001 – on which GitHub Copilot is based – caused only 10% more critical security bugs.
However, the Stanford researchers explained that their own study looked at OpenAI’s codex-davinci-002 model, a newer model than Cushman, which is also used by GitHub Copilot.
They also looked at a number of programming languages, including Python, Javascript and C, while the second paper focused only on the latter, which the authors attribute to ambiguous findings. In fact, in the Stanford article, people using AI to code in C didn’t cause much more bugs either.
One of the five tasks involved writing Python code, and here the code was more buggy and insecure when using the AI helper. Moreover, they were also “much more likely to use trivial ciphers such as substitution ciphers (p < 0.01) and did not perform an authenticity check on the final returned value."
The authors hope their study will lead to further improvements in AI, rather than a complete rejection of the technology, due to the potential productivity improvements such tools can offer. They only maintain that they should be used with care as they can mislead programmers into thinking they are infallible.
They also believe that AI assistants can encourage more people to get involved in coding, regardless of their experience, who may also be put off by the vigilante atmosphere in the discipline.
By Register (opens in a new tab)