Code generation tools driven by artificial intelligence have recently become more popular due to advancements in deep learning and natural language processing that have increased their capabilities. The proliferation of these tools may be a double-edged sword because while they can increase developer productivity by making it easier to write code, research has shown that they can also generate insecure code. In this paper, we perform a user-centered evaluation GitHub’s Copilot to better understand its strengths and weaknesses with respect to code security. We conduct a user study where participants solve programming problems (with and without Copilot assistance) that have potentially vulnerable solutions. The main goal of the user study is to determine how the use of Copilot affects participants’ security performance. In our set of participants (n=25), we find that access to Copilot accompanies a more secure solution when tackling harder problems. For the easier problem, we observe no effect of Copilot access on the security of solutions. We also observe no disproportionate impact of Copilot use on particular kinds of vulnerabilities. Our results indicate that there are potential security benefits to using Copilot, but more research is warranted on the effects of the use of code generation tools on technically complex problems with security requirements.
Fri 19 AprDisplayed time zone: Lisbon change
11:00 - 12:30 | Security 4Research Track / Software Engineering in Practice at Eugénio de Andrade Chair(s): Liliana Pasquale University College Dublin & Lero | ||
11:00 15mTalk | A User-centered Security Evaluation of Copilot Research Track Owura Asare University of Waterloo, Mei Nagappan University of Waterloo, N. Asokan University of Waterloo | ||
11:15 15mTalk | Identifying Affected Libraries and Their Ecosystems for Open Source Software Vulnerabilities Research Track Susheng Wu Fudan University, Wenyan Song Fudan University, Kaifeng Huang Tongji University, Bihuan Chen Fudan University, Xin Peng Fudan University | ||
11:30 15mTalk | Understanding Transaction Bugs in Database Systems Research Track Ziyu Cui Institute of Software Chinese Academy of Sciences, Wensheng Dou Institute of Software Chinese Academy of Sciences, Yu Gao Institute of Software, Chinese Academy of Sciences, China, Dong Wang Institute of software, Chinese academy of sciences, Jiansen Song Institute of Software Chinese Academy of Sciences, Yingying Zheng Institute of Software Chinese Academy of Sciences, Tao Wang Institute of Software at Chinese Academy of Sciences, Rui Yang Institute of Software, Chinese Academy of Sciences, Kang Xu University of Chinese Academy of Sciences, Nanjing, Yixin Hu Sun Yat-sen University, Jun Wei Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences; University of Chinese Academy of Sciences Chongqing School, Tao Huang Institute of Software Chinese Academy of Sciences Pre-print | ||
11:45 15mTalk | When Contracts Meets Crypto: Exploring Developers' Struggles with Ethereum Cryptographic APIs Research Track Jiashuo Zhang Peking University, China, Jiachi Chen Sun Yat-sen University, Zhiyuan Wan Zhejiang University, Ting Chen University of Electronic Science and Technology of China, Jianbo Gao Peking University, Zhong Chen | ||
12:00 15mTalk | Industrial Challenges in Secure Continuous Development Software Engineering in Practice Fabiola Moyón Siemens Technology and Technical University of Munich, Florian Angermeir fortiss GmbH, Daniel Mendez Blekinge Institute of Technology and fortiss Pre-print | ||
12:15 15mTalk | Automated Security Findings Management: A Case Study in Industrial DevOps Software Engineering in Practice Markus Voggenreiter Siemens Technology / LMU Munich, Florian Angermeir fortiss GmbH, Fabiola Moyón Siemens Technology and Technical University of Munich, Ulrich Schöpp fortiss GmbH, Pierre Bonvin Munich University of Applied Sciences Pre-print | ||