GitHub Copilot could be exacerbating software vulnerabilities due to the generative AI assistant’s tendency to replicate insecure code, researchers have warned.
Analysis from Snyk found that AI coding assistants such as GitHub Copilot can learn to imitate problematic patterns or utilize vulnerable material within a developer’s system of code.
If developers are inputting code into GitHub that has security issues or technical problems, then the AI model can succumb to the “broken windows” theory by taking inspiration from its problematic surroundings.
In essence, if GitHub Copilot is fed with prompts containing vulnerable material, then it will learn to regurgitate that material in response to user interactions.
“Generative AI coding assistants, such as Copilot, don’t actually understand code semantics and, as a result, cannot judge it,” researchers said.
Apple is working on an AI coding tool similar to GitHub Copilot
By way of evidence, Snyk highlighted an example in which Copilot utilized the “neighboring tabs” feature to access code for the purposes of context.
In this instance, the code in question already contained security flaws. Copilot then went on to amplify these security vulnerabilities in its following suggestions, leaving the developer at risk of SQL injection.
“This means that existing security debt in a project can make insecure developers using Copilot even less secure,” said Snyk.
The exacerbation of security issues through GitHub should be a concern to developers for several key reasons, researchers said.
Inexperienced or insecure developers, for example, could begin to develop bad habits as Copilot’s code suggestions reinforce mistakes or poor developer practice.
In a similar way, Copilot could pick up on coding patterns that, though previously acceptable, may have become outdated and vulnerable.
AI coding assistants also breed a culture which lacks oversight, the study suggested, meaning problematic code may not be checked and so could be proliferated extensively.
According to Snyk, data suggests that the average commercial project has around 40 vulnerabilities in first-party code, setting the perfect stage for the amplification of flaws if developers are diligent.
Coding assistants like GitHub Copilot should be used with caution
Snyk advised developers to fix issues at the source by ensuring their code is up-to-date and secure.
“Copilot is less likely to suggest insecure code in projects without security issues, as it has less insecure code context to draw from,” said Snyk.
Why software 'security debt' is becoming a serious problem for developers
The company also suggested some more specific mitigation methods for the various departments which this issue could affect.
For example, developers should “conduct manual reviews” of code generated by coding assistants that include within them comprehensive security assessments and vulnerability rectifications. This will help reduce oversight blind spots, researchers suggested.
Security teams, on the other hand, should put static application security testing (SAST) guardrails in place that contain policies for development teams to work to.
Security teams can also help to provide training and awareness to development teams, as well as “prioritize and triage” the backlog of development team issues.
