"Examine AI-Generated Code Thoroughly Before Depending on It Completely"
=====================================================================================
In a recent report published by data security firm Veracode, it was revealed that approximately half of all AI-generated code contains security flaws. The report tested over 100 large language models on 80 coding tasks, each with known potential vulnerabilities.
The findings are concerning, as AI models are becoming more common in the programming world. They are capable of identifying exploitable bugs in code and are even becoming capable of cracking the same code they generate.
One of the most significant vulnerabilities discovered in the AI-generated code is broken access control. This issue can allow unauthorised users to access sensitive data, leading to potential data breaches. Cryptographic failures and data integrity failures were also found, which can compromise the security of the entire system.
The 45% of code that failed the security check produced a vulnerability that is part of the Open Worldwide Application Security Project's top 10 security vulnerabilities. This underscores the importance of addressing these issues in AI-generated code.
The report did not specify the exact nature of the coding tasks or the coding languages used in the tests. However, the tasks tested included using different coding languages and building different types of applications.
The output of the AI-generated code has issues big enough that it wouldn't be advisable to spin it up and push it live without addressing the security concerns. Developers can ensure security in AI-generated code by treating such code as a starting point rather than production-ready and conducting thorough security reviews, including code audits, security scanning, and compliance checks.
In addition to these measures, developers should validate all inputs, avoid hardcoding secrets, use up-to-date dependencies, specify security requirements in prompts, understand licensing and IP risks, prefer secure and compliant AI tools, and stay updated with evolving security best practices.
Recent research on AI models found they are getting very good at spotting vulnerabilities in code. This is a double-edged sword, as while it can help identify issues, it also means that AI models can potentially be used maliciously to exploit vulnerabilities in code.
Earlier this month, a hacker managed to get Amazon's AI coding agent to delete files of computers by injecting malicious code. This incident highlights the need for vigilance in securing AI-generated code.
In summary, security in AI-generated code requires a comprehensive approach combining cautious tool selection, strong developer oversight, continuous security testing, and adherence to coding and legal best practices to counter the roughly 40% vulnerability rate reported in AI-generated code.
Artificial intelligence models, despite their ability to identify vulnerabilities in code, can also generate code with significant security flaws, such as broken access control and cryptographic failures, posing risks for cybersecurity. As AI technology becomes more prevalent in the tech industry, tech firms like Gizmodo should prioritize addressing these issues in AI-generated code, ensuring thorough security reviews and adherence to coding best practices. The future of technology relies on the responsible implementation of AI, with a focus on maintaining the security and integrity of all AI-generated code.
