Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns

Jan H. Klemmer; Stefan Albert Horstmann; Nikhil Patnaik; Cordelia Ludden; Cordell Burton Jr.; Carson Powers; Fabio Massacci; Akond Rahman; Daniel Votipka; Heather Richter Lipford; Awais Rashid; Alena Naiakshina; Sascha Fahl

doi:10.1145/3658644.3690283

Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns

Jan H. Klemmer, Stefan Albert Horstmann, Nikhil Patnaik, Cordelia Ludden, Cordell Burton Jr., Carson Powers, Fabio Massacci, Akond Rahman, Daniel Votipka, Heather Richter Lipford, Awais Rashid, Alena Naiakshina, Sascha Fahl

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

10 Citations (Scopus)

7 Downloads (Pure)

Abstract

Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on security in software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that, despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Participants' overall mistrust leads to checking AI suggestions in similar ways to human code. However, they expect improvements and, therefore, a heavier use of AI for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, for AI creators to improve suggestion security and capabilities for ethical security tasks, and for academic researchers to consider general-purpose AI in software development.

Original language	English
Title of host publication	CCS '24
Subtitle of host publication	Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security
Editors	Bo Luo, Xiaojing Liao, Jun Xu, Engin Kirda, David Lie
Publisher	ACM SIGGRAPH
Pages	2726-2740
Number of pages	15
ISBN (Electronic)	9798400706363
DOIs	https://doi.org/10.1145/3658644.3690283
Publication status	Published - 9 Dec 2024
Event	CCS '24: ACM SIGSAC Conference on Computer and Communications Security - Salt Lake City, United States Duration: 14 Oct 2024 → 18 Oct 2024 https://www.sigsac.org/ccs/CCS2024/

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
Publisher	ACM
ISSN (Print)	1543-7221

Conference

Conference	CCS '24: ACM SIGSAC Conference on Computer and Communications Security
Abbreviated title	CCS '24
Country/Territory	United States
City	Salt Lake City
Period	14/10/24 → 18/10/24
Internet address	https://www.sigsac.org/ccs/CCS2024/

Access to Document

10.1145/3658644.3690283Licence: Unspecified

Full-text PDF (accepted manuscript)
This is the accepted author manuscript (AAM) of the article which has been made Open Access under the University of Bristol's Scholarly Works Policy. The final published version (Version of Record) can be found on the publisher's website. The copyright of any third-party content, such as images, remains with the copyright holder.
Accepted author manuscript, 802 KBLicence: CC BY

https://arxiv.org/abs/2405.06371

Handle.net

Persistent link

Cite this

Klemmer, J. H., Horstmann, S. A., Patnaik, N., Ludden, C., Jr., C. B., Powers, C., Massacci, F., Rahman, A., Votipka, D., Lipford, H. R., Rashid, A., Naiakshina, A., & Fahl, S. (2024). Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns. In B. Luo, X. Liao, J. Xu, E. Kirda, & D. Lie (Eds.), CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security (pp. 2726-2740). (Proceedings of the ACM Conference on Computer and Communications Security). ACM SIGGRAPH. https://doi.org/10.1145/3658644.3690283

Klemmer, Jan H. ; Horstmann, Stefan Albert ; Patnaik, Nikhil et al. / Using AI Assistants in Software Development : A Qualitative Study on Security Practices and Concerns. CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. editor / Bo Luo ; Xiaojing Liao ; Jun Xu ; Engin Kirda ; David Lie. ACM SIGGRAPH, 2024. pp. 2726-2740 (Proceedings of the ACM Conference on Computer and Communications Security).

@inproceedings{045b2dc8621c4d21940b8ea5dd5d6e06,

title = "Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns",

abstract = "Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on security in software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that, despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Participants' overall mistrust leads to checking AI suggestions in similar ways to human code. However, they expect improvements and, therefore, a heavier use of AI for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, for AI creators to improve suggestion security and capabilities for ethical security tasks, and for academic researchers to consider general-purpose AI in software development.",

author = "Klemmer, \{Jan H.\} and Horstmann, \{Stefan Albert\} and Nikhil Patnaik and Cordelia Ludden and Jr., \{Cordell Burton\} and Carson Powers and Fabio Massacci and Akond Rahman and Daniel Votipka and Lipford, \{Heather Richter\} and Awais Rashid and Alena Naiakshina and Sascha Fahl",

year = "2024",

month = dec,

day = "9",

doi = "10.1145/3658644.3690283",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "ACM SIGGRAPH",

pages = "2726--2740",

editor = "Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie",

booktitle = "CCS '24",

note = "CCS '24: ACM SIGSAC Conference on Computer and Communications Security, CCS '24 ; Conference date: 14-10-2024 Through 18-10-2024",

url = "https://www.sigsac.org/ccs/CCS2024/",

}

Klemmer, JH, Horstmann, SA, Patnaik, N, Ludden, C, Jr., CB, Powers, C, Massacci, F, Rahman, A, Votipka, D, Lipford, HR, Rashid, A, Naiakshina, A & Fahl, S 2024, Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns. in B Luo, X Liao, J Xu, E Kirda & D Lie (eds), CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, ACM SIGGRAPH, pp. 2726-2740, CCS '24: ACM SIGSAC Conference on Computer and Communications Security, Salt Lake City, Utah, United States, 14/10/24. https://doi.org/10.1145/3658644.3690283

Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns. / Klemmer, Jan H.; Horstmann, Stefan Albert; Patnaik, Nikhil et al.
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. ed. / Bo Luo; Xiaojing Liao; Jun Xu; Engin Kirda; David Lie. ACM SIGGRAPH, 2024. p. 2726-2740 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Using AI Assistants in Software Development

T2 - CCS '24: ACM SIGSAC Conference on Computer and Communications Security

AU - Klemmer, Jan H.

AU - Horstmann, Stefan Albert

AU - Patnaik, Nikhil

AU - Ludden, Cordelia

AU - Jr., Cordell Burton

AU - Powers, Carson

AU - Massacci, Fabio

AU - Rahman, Akond

AU - Votipka, Daniel

AU - Lipford, Heather Richter

AU - Rashid, Awais

AU - Naiakshina, Alena

AU - Fahl, Sascha

PY - 2024/12/9

Y1 - 2024/12/9

N2 - Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on security in software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that, despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Participants' overall mistrust leads to checking AI suggestions in similar ways to human code. However, they expect improvements and, therefore, a heavier use of AI for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, for AI creators to improve suggestion security and capabilities for ethical security tasks, and for academic researchers to consider general-purpose AI in software development.

AB - Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on security in software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that, despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Participants' overall mistrust leads to checking AI suggestions in similar ways to human code. However, they expect improvements and, therefore, a heavier use of AI for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, for AI creators to improve suggestion security and capabilities for ethical security tasks, and for academic researchers to consider general-purpose AI in software development.

UR - https://www.sigsac.org/ccs/CCS2024/

U2 - 10.1145/3658644.3690283

DO - 10.1145/3658644.3690283

M3 - Conference Contribution (Conference Proceeding)

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 2726

EP - 2740

BT - CCS '24

A2 - Luo, Bo

A2 - Liao, Xiaojing

A2 - Xu, Jun

A2 - Kirda, Engin

A2 - Lie, David

PB - ACM SIGGRAPH

Y2 - 14 October 2024 through 18 October 2024

ER -

Klemmer JH, Horstmann SA, Patnaik N, Ludden C, Jr. CB, Powers C et al. Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns. In Luo B, Liao X, Xu J, Kirda E, Lie D, editors, CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. ACM SIGGRAPH. 2024. p. 2726-2740. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3658644.3690283

Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns

Abstract

Publication series

Conference

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this