Why You Should Apply Caution When Using AI in Code Development
Here’s why you should be careful when using AI in code development.
Developers and their managers may be thrilled with the speed and efficiency artificial intelligence (AI) provides to write code and complete projects faster. However, beware: using AI without considering potential security gaps could unknowingly introduce vulnerabilities, warns Robert Castles, principal and CTO at PMG.
AI may be a game-changer for code developers one day, but blind trust in using curated code as is – without validating it or perhaps even understanding it – is risky. AI learns as it goes by finding patterns in large quantities of data and adapting through progressive learning algorithms.
However, developers should remember that AI can make the same mistakes as humans. As a post in Wired put it, “AI can write code like humans – bugs and all.” This can result in a command injection attack or inability to troubleshoot should something go wrong. Machine Learning (ML), a subset of AI, is trained on source material, so it is highly dependent on the quality of the data or code. While this is likely to improve over time, just as AI/ML is making leaps and bounds in other areas, strong curation is critical to avoiding issues.
Let’s take a look at the pros and cons of using AI to help write software and what can be done to help prevent the vulnerabilities it could introduce.
Too Quick for Comfort
Using AI to write code could be a precursor to automated coding, but it’s just in its infancy. We know some, but not all, of the pitfalls.
Developers and product managers crave speed while writing software, but speed bumps can bring critical pauses for evaluation and revision. It stands to reason, then, that AI-driven code writing necessitates programmers to keep their proverbial hands on the wheel and eyes on the road.
Two main sources for code are Stack Overflow, a question-and-answer website on a wide range of computer programming topics, and GitHub, a massive Microsoft-owned developer platform to build, scale and deliver software.
GitHub recently made its AI-pair programming tool, Copilot, generally available to the public. Users just type in a comment describing what they want to do, and Copilot suggests code that will do it. For more experienced developers, the program will take a database query, command, or request to an API that a programmer enters and will guess the intent and write the rest.
While there is little doubt such an AI tool lets programmers spend less time looking up examples on Stack Overflow or API documents, NYU researchers analyzed the Copilot-generated code found on some tasks and discovered the code contained security flaws approximately 40% of the time.
To be clear, I’m not trying to pick on Copilot. This is just an example of how AI programming hasn’t yet worked through the security challenges that come along with it.
See More: How AI Can Help Address the Talent and Skills Shortage
Free Doesn’t Mean Trouble-free
There are many mistakes inexperienced developers routinely make during coding. This includes skipping bounds checking, not looking for injection attacks, or using code patterns without quite understanding them. By offering curated code suggestions, AI-assisted code could provide better safety checks to help prevent security risks like a command injection attack or buffer overflow vulnerability.
This is a strong argument in support of AI programming. No doubt, some AI-driven code solutions will circumstantially bring best practices for security to the table. However, developers and product managers must understand no guarantee exists, at least for now. Proven, strong development practices will still be required to protect organizations, customers and consumers from cyber threats.
Remember, just because it’s free – similar to open-source code – doesn’t necessarily mean that it’s good code.
Into the Gray
I certainly find it exciting to see code from the AI generators, often bringing advanced patterns to the screen in the form of code. While this might be great, it also introduces the real challenge for developers to understand what has been typed into their code editors, as they or someone else will now own it.
For example, if a developer needs to write an algorithm for a binary search tree but doesn’t understand the code patterns, AI pulls curated code to do that.
This can be a positive and a negative at the same time. On the one hand, AI can curate code, allowing developers to move along with the project even if they don’t understand a particular piece of the logic. On the other hand, who can troubleshoot this code should something go awry or if the unknown code introduces vulnerabilities?
All of a sudden, developers could find themselves in a gray area where AI removed a roadblock in the software writing process, but no one on the development team understands the code it grabbed. There is a running joke among developers – when Stack Overflow is down, they can’t do any coding that day. This is because it’s common for them to rely on other developers there by asking, “How do I write a function to do A, B or C in a given language?”
Or alternatively, they start combing through Stack Overflow articles and posts until they find something useful for what they need. At least when bringing in code from another source like this, developers are curating it themselves and typically understand how to fit it into their existing code. When AI generates the code, this often isn’t the case.
Infringement or Not?
Copyrights also need consideration. If the content is curated through AI, the coder won’t know whether it’s copyrighted, so could be plagiarizing someone else’s work.
Think about DALL-E Mini, for example, a free OpenAI generator found on GitHub that enables people to create drawings and sometimes produces bizarre results.
After a user types something they want to see and clicks the run button, AI searches for those words and finds images associated with them. It then creates a vignette with fragments of those images and tries to make the result realistic.
Dall-E Mini uses other artists’ work to provide results and create something new, but users don’t know the copyright status of the source works. Similarly, with AI-assisted coding, how do developers know whether they’re plagiarizing other people’s work? They don’t.
Stay Diligent When Coding with AI
One way to mitigate the risks of using AI-assisted code development is to reallocate more people into the peer review process. Another option is to move quality testing up toward the beginning of the code development process rather than leaving it to the end. Although this might seem expensive, such a measure pays off later.
It’s crucial to stay diligent because using AI is akin to inviting an unknown person to join a code development team. Further, consider whether developers will sharpen their skills when AI takes over part of the job. AI is here to stay in the code development process. But before opening those arms and welcoming AI into a team, understand its limits and know that the time saved in code development should be allocated to peer review.
Always err on the side of caution.
Have you faced any security challenges when coding with AI? Share with us on Facebook, Twitter, and LinkedIn.
MORE ON CODING:
- The Tech Skill Shortage and the Rise of Low-Code/No-Code
- Importance of Workflow Automation and No-Code in Managing a Remote Workforce
Image Source: Shutterstock
