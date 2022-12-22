A paper (opens in new tab) Stanford University researchers found that programmers who employed AI assistants, such as GitHub Copilot and Facebook InCoder, ended up writing less secure code.

Furthermore, such tools also give developers a false sense of security, with many thinking that they are producing better code using the help.

Nearly 50 subjects, each with different levels of expertise, were given five coding tasks, using different languages, some with the help of an AI tool and others without any assistance.

Language games

The paper’s authors – Neil Perry, Megha Srivastava, Deepak Kumar and Dan Boneh – stated that there were “particularly significant results for string encryption and SQL injection”.

They also referred previous research found that about 40% of the programs created with help from GitHub Copilot contained vulnerable code, although a follow-up study found that programmers using Large Language Models (LLM), such as OpenAI’s code-cushman-001 codex – on which GitHub Copilot is based – only encountered a 10% increase in critical security bugs.

However, the Stanford researchers explained that their own research looked at OpenAI’s codex-davinci-002 model, a more recent model than Cushman, which is also used by GitHub Copilot.

They also looked at multiple programming languages, including Python, Javascript, and C, with the other paper focusing only on the latter, which the authors attribute to the inconclusive findings. In the Stanford paper, those using AI to code in C also did not result in significantly more errors.

One of the five tasks involved writing code in Python, and code was more likely to be flawed and unsafe when using an AI helper. In addition, they were also “significantly more likely to use trivial numbers, such as replacement numbers (p < 0.01), and not to authenticate the final value returned."

The authors hope their study leads to further improvements in AI, rather than dismissing the technology altogether, because of the potential productivity improvements such tools can provide. They simply claim to be used with caution as they can trick programmers into thinking they are infallible.

They also think AI assistants could encourage more people to get involved in coding, regardless of experience, who may also be put off by the gatekeeper vibe surrounding the discipline.

