Recently, AI programming assistants have become incredibly popular, claiming to help programmers write code and improve efficiency. Many programmers have even regarded them as their "savior," eager to use them constantly for coding. However, a study from Stanford University has thrown cold water on these "enthusiastic fans": AI programming assistants might be a "security nightmare"!

Researchers from Stanford University gathered 47 programmers to complete five security-related programming tasks, covering Python, JavaScript, and C languages. The results showed that those using AI assistants wrote significantly less secure code!

image.png

This is no exaggeration. AI programming assistants are like "unreliable interns" who can write some seemingly correct code but are clueless about security issues. For instance, in encryption-decryption tasks, the code generated by AI assistants can encrypt information correctly but fails to return necessary authentication tags, akin to installing a lock on a safe without providing the key, significantly compromising security.

Worse still, programmers using AI assistants are more likely to feel that their code is secure, as if under the influence of a "mind-altering drug," overlooking security vulnerabilities in their code. This is not a good thing; overconfidence often leads to more severe security issues.

Researchers also found that the prompts given by programmers to AI assistants directly impact the security of the code. If programmers clearly describe the tasks and provide some auxiliary functions, the code generated by AI assistants will be more secure. However, if programmers overly rely on AI assistants and directly use the generated code, it's akin to copying and pasting "security vulnerabilities" into their own code, with predictable consequences.

So, can AI programming assistants be used?

The answer is: Yes, but with caution! Programmers should not treat them as a "panacea" or blindly trust them. When using AI assistants, programmers must remain vigilant, carefully inspect the code, and avoid security vulnerabilities.

Paper link: https://arxiv.org/pdf/2211.03622