GitHub Copilot could exacerbate software vulnerabilities due to the generative AI assistant’s tendency to replicate insecure code, researchers have warned.
Analysis by Snyk found that AI coding assistants such as GitHub Copilot can learn to mimic problematic patterns or use vulnerable material within a code development system.
If developers contribute code to GitHub that has security or technical issues, then the AI model may succumb to the “broken windows” theory by drawing inspiration from its troubled environment.
Essentially, if GitHub Copilot is fed queries that contain vulnerable material, then it will learn to reclaim that material in response to user interactions.
“Generative AI coding assistants, such as Copilot, do not actually understand the semantics of code and, as a result, cannot judge it,” the researchers said.
As evidence, Snyk pointed to an example where Copilot used the “adjacent tabs” feature to access code for context purposes.
In this case, the code in question already contained security flaws. Copilot then continued to amplify these vulnerabilities in its subsequent proposals, leaving the developer vulnerable to SQL injection.
“This means that the existing security debt in the project can make insecure developers using Copilot even less secure,” Snyk said.
GitHub’s worsening security issues should worry developers for several key reasons, researchers say.
Inexperienced or insecure developers, for example, might start to develop bad habits because Copilot’s code suggestions reinforce mistakes or poor development practices.
Similarly, Copilot could catch coding patterns that, while previously acceptable, may have become outdated and vulnerable.
AI coding assistants also create a culture that lacks oversight, the study suggests, meaning that problematic code may not be vetted and could therefore be widely propagated.
According to Snyk, data suggests that the average commercial project has about 40 vulnerabilities in first-party code, setting the perfect stage for vulnerabilities to be amplified if developers are diligent.
Coding assistants like GitHub Copilot should be used with caution
Snyk advised developers to fix problems at source by ensuring their code is up-to-date and secure.
“Copilot is less likely to suggest insecure code in projects without security issues, since there is less insecure code context to pull from,” Snyk said.
The company also suggested some more specific mitigation methods for the various departments that could be affected by this issue.
For example, developers should “conduct manual reviews” of code generated by coding assistants that include comprehensive security assessments and vulnerability fixes. This will help reduce surveillance dead spots, the researchers suggest.
Security teams, on the other hand, should set up static application security testing (SAST) guardrails that contain rules for development teams.
Security teams can also help provide training and awareness to development teams, as well as “prioritize and sort” the development team’s backlog of issues.