IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Developers more likely to introduce security vulnerabilities in code when using AI assistants

The findings come as an increasing number of developers turn to AI pair programmers due to productivity benefits

Developers who use AI pair programming assistants like GitHub Copilot are more likely to introduce security vulnerabilities for the majority of programming tasks.

Researchers from Stanford University set developers a series of coding tasks across different programming languages. Developers were split into two groups: those who used the AI pair programmer tool Codex from OpenAI and those who used only their own knowledge of the language itself.

Participants were set six tasks divided across languages including Python, Javascript, and C. Results from tasks relating to encryption were of particular concern to the researchers since, in one task, only 67% of those who used the AI assistant produced correct, secure code compared to 79% of those who relied only on their own skills.

Although participants were more likely to introduce security vulnerabilities if they had access to an AI assistant, the Stanford researchers also found they were more likely to rate their insecure answers as secure compared to those who didn’t use the AI technology.

Concerns over developer productivity were also raised. Those who used AI assistants were less likely to display care in searching the language's documentation to protect against unsafe code implementations, for example. Their findings noted that this was "concerning given that several of the security vulnerabilities [they] saw involved improper library selection or usage".

“Overall, our results suggest that while AI code assistants may significantly lower the barrier of entry for non-programmers and increase developer productivity, they may provide inexperienced users a false sense of security,” they said.

“By releasing user data, we hope to inform future designers and model builders to not only consider the types of vulnerabilities present in the outputs of models such as OpenAI’s Codex, but also the variety of ways users may choose to interact with an AI code assistant.”

Participants who spent more time honing their queries to the AI assistant, including changing the parameters, were more likely to eventually provide more secure solutions. Those who trusted the AI less and engaged more with the language and format of their prompts were more likely to provide secure code, the researchers concluded.

A drawback to the study was that only university students were used in the experiment which means the conclusion drawn may not be directly applicable to those with years of professional experience, the researchers noted, since those in working in the industry may have more security experience.

Regardless, the results highlighted the need for caution in relying on such AI tools too heavily, especially when working on high-value projects, despite the developer community's welcoming of them.

GitHub has previously claimed that its own AI pair programmer, GitHub Copilot, improves developer’s productivity, according to its own survey which found that 88% of developers are more productive when using the AI tool. 

The coding platform also claimed that Copilot improves developer happiness since it allows them to stay in a development flow for a longer period of time, as well as solve more complex problems. Competing tools such as Facebook InCoder and Codex, the latter of which was used in the Stanford study, both receive significant support from developers who use them.

However, the current implementation of AI pair programmers was called into question after GitHub was hit with a class action lawsuit in November 2022, claiming that Copilot is committing software piracy since it's trained from publicly available repositories on GitHub’s platform. The lawsuit alleged that creators have had their legal rights violated since they posted code or work under various open-source licences on the platform.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

How to download from GitHub
Development

How to download from GitHub

9 Dec 2022
Establishing an OSPO is 'the next big evolution of the tech workplace'
open source

Establishing an OSPO is 'the next big evolution of the tech workplace'

10 Nov 2022
GitHub Copilot for business ‘expected to boost enterprise adoption’
Software

GitHub Copilot for business ‘expected to boost enterprise adoption’

10 Nov 2022
GitHub launches private vulnerability reporting to secure the software supply chain
Security

GitHub launches private vulnerability reporting to secure the software supply chain

10 Nov 2022

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023