AI Coding Pitfalls
The Feeling of Power is a 1958 Science Fiction short story by Isaac Asimov. It proposes a world that relies on computers to construct and program other computers and the breakthrough discovery that humans can do maths without the help of computers. In the real world AI engines are now being used to generate or at least optimise code creation. This can significantly reduce the development time for software projects but to what degree can this code be relied upon?
Some people will always be better at writing code than others and any major software project is likely to involve more than one individual. Creating a solution to solve a well-understood problem could be relatively straightforward. AI code generators can fill in many of the basic building blocks of code; reducing the time needed to flesh out a solution. There is a degree of intellectual satisfaction in coming up with an answer to a programming problem. Running through the possibly limitless consequences of implementing that solution is more grind than reward. Through the use of AI tools there is the prospect of reducing that grind. AI code creation is a relatively new tool; GitHub Copilot was made generally available to developers in June 2022. Henceforeward coders are having to develop new skills on the fly. The role of the successful developer may be coming to rely more on the ability to deduce the correct inputs for AI to create a robust solution. The challenge that has not changed is identifying the problem and defining exactly what code needs to do to solve that problem.
A big hurdle for commercial software is testing all possible use cases, ensuring that software keeps on working as intended and that it cannot be exploited by harmful actors. Even sorting out one’s own code and testing it as each section is implemented is a challenging task. The implementer may know what the code does but not being the ultimate source could be less certain about how it does it. Reviewing a solution that has been created in bulk by AI will further push testing and validation systems (which are in-turn becoming AI driven).
A 2023 survey by Synk discusses the degree of reliance on AI generated code and how secure that resulting code might be. They also describe an example of GitHub Copilot output using the appropriately named function; dangerouslySetInnerHTML, which is vulnerable to XSS attacks, in its AI generated JavaScript code. To be fair Synk are in the business of identifying vulnerabilities in code so any perceived risks would boost their business model. Their survey is based on responses from 537 software engineering and security team members and leaders, 96% of those teams were using AI coding tools. 56% of respondents had encountered security risks within AI generated code. Similar risks could also be present in code from on-line code solution repositories although these rely on human input to comment on and prioritise optimum solutions. If the AI tools are creating insecure code and that code is being accepted it will reinforce their own learning algorithms and increase the likelihood of subsequent output being unreliable.
40% of developers questioned by Synk were very concerned that use of AI would impact on the human skills needed to create good code. This in turn could impact on their own ability to pick up errors in existing code. There is also an indirect risk that insecure code originally created by AI may appear in solutions from a 3rd party developer, on a code repository or within open source solutions. Stack Overflow, a popular source for coding solutions banned the upload of AI generated solutions in 2022. Their case being that the chance of an AI solution being the correct and best answer was seen as relatively low. An influx of this type of response would dilute more helpful code segments hosted on their site. The AI code engines themselves will have originally been primed by data from online code sources. If these new engines prove easier to use than searching human based repositories then there will be less input into the original databases making them less useful and further promoting the reliance on AI engines. Unlike information on historical facts, code solutions need to be kept up to date. Older functions are sidelined (or deprecated) and replaced by more efficient or more secure solutions. This results in ageing code only being the best choice within legacy applications.
The core issue may be not where code comes from but how much we can trust the reliability of that code and who owns the resulting solution. Robust testing and reacting to user feedback will optimise the efficiency of the code. How big a role AI will have in the whole process is still being worked out.