from the going-against-Betteridge's-law dept.
We conduct the first large-scale user study examining how users interact with an AI Code assistant to solve a variety of security related tasks across different programming languages. Overall, we find that participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access. Additionally, participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant. Furthermore, we find that participants who trusted the AI less and engaged more with the language and format of their prompts (e.g. re-phrasing, adjusting temperature) provided code with fewer security vulnerabilities. Finally, in order to better inform the design of future AI-based Code assistants, we provide an in-depth analysis of participants' language and interaction behavior, as well as release our user interface as an instrument to conduct similar studies in the future.
Journal Reference: Neil Perry, Megha Srivastava, Deepak Kumar, Dan Boneh https://dl.acm.org/doi/10.1145/3576915.3623157
Originally spotted on Schneier on Security.
(Score: 0) by melyan on Thursday January 25, @12:59AM (1 child)
Ego. I trust the AI already. Ego-based intelligence is also artificial anyway.
(Score: 2) by JoeMerchant on Thursday January 25, @01:15AM
I was going to say: programmers who heed security advice from AI are likely writing more secure code than crusty old coots who just bang it out from memory, or their old "for dummies" books.
(Score: 2) by Opportunist on Thursday January 25, @01:11AM
You train AI to code based on what it finds on the internet. AI of course doesn't know anything about coding originally. And don't gimme that "but it's a computer". AI cannot even count and calculate properly, that's also not its thing.
Now let's take a look at where you find solutions to coding problems? Google any programming problem and you'll end up with the same assortment of pages. Most of them filled with user contributions rather than vetted and curated answers. Sure, peer review votes some answers up or down, and let's for a moment even assume that the AI is clever enough to take this into account, then you basically have a bunch of people who are about as good at programming as the person giving the answer (or rather, probably not AS good or they would have given the answer) voting it up because "it works".
Now, writing code that "somehow works" isn't exactly hard. What these pages completely omit usually, partly because the people who feel the urge to write don't know it themselves, partly because they only want to provide a quick and easy to understand answer rather than one that takes care about edge cases and security asserts that only bloat the code and add confusion, is any kind of safety or secure coding practice.
And this is what AI is using to learn.
So please answer that question yourself. It is fairly trivial.
Not that I complain. As a security consultant, I'd consider the code that gets crapped out based on this "job security to the grave".
And beyond.