Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns

Jan H. Klemmer; Stefan Albert Horstmann; Nikhil Patnaik; Cordelia Ludden; Cordell Burton Jr; Carson Powers; Fabio Massacci; Akond Rahman; Daniel Votipka; Heather Richter Lipford; Awais Rashid; Alena Naiakshina; Sascha Fahl

Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns

Jan H. Klemmer, Stefan Albert Horstmann, Nikhil Patnaik, Cordelia Ludden, Cordell Burton Jr, Carson Powers, Fabio Massacci, Akond Rahman, Daniel Votipka, Heather Richter Lipford, Awais Rashid, Alena Naiakshina and Sascha Fahl.
In 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS '24), October 14--18, 2024, Salt Lake City, UT, USA

PDF Abstract Cite URL

Abstract

Following the recent release of AI assistants, such as OpenAI’s ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on secure software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Their overall mistrust leads to checking AI suggestions in similar ways to human code, although they expect improvements and, therefore, a heavier use for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, AI creators to improve suggestion security and capabilities for ethical security tasks, and academic researchers to consider general-purpose AI in software development.

Reference

@inproceedings{conf/ccs/klemmer24,
 author = {Jan H. Klemmer and 
Stefan Albert Horstmann and 
Nikhil Patnaik and 
Cordelia Ludden and 
Cordell Burton Jr and 
Carson Powers and 
Fabio Massacci and 
Akond Rahman and 
Daniel Votipka and 
Heather Richter Lipford and 
Awais Rashid and 
Alena Naiakshina and 
Sascha Fahl},
 booktitle = {In 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS '24), October 14--18, 2024, Salt Lake City, UT, USA},
 month = {Oct},
 publisher = {ACM},
 title = {Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns},
 url = {https://arxiv.org/abs/2405.06371},
 year = {2024}
}