Q&AEval: Benchmarking Secure Coding Ability of LLMs on Real-World Tasks (SVM 2026)

Who

Markus Toran, Bettina Ballin, Marc Miltenberger, Steven Arzt

Track

SVM 2026

Time Zone

The program is currently displayed in (GMT-03:00) Brasilia, Distrito Federal, Brazil.

Use conference time zone: (GMT-03:00) Brasilia, Distrito Federal, BrazilSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Sat 18 Apr 2026 16:20 - 16:40 at Europa II - SVM Paper Session 2 Chair(s): Triet Le

Abstract

Conversational Models revolutionize the way we think, communicate, and code. Large Language Models (LLMs) such as GPT-o4 can generate thousands of lines of code in seconds, ranging from simple boilerplate functions to large and complex applications. In this study, we evaluate the security and quality of the code produced by LLMs, comparing it to a human baseline derived from a vast corpus of StackOverflow questions and answers.

We queried 5 LLMs with over 10,000 cybersecurity-related questions from StackOverflow. Using three static code scanners, we automatically identified software vulnerabilities in the AI-generated code for Java and Python as well as the human-provided code snippets in the StackOverflow answers. Based on this data, we analyze what developers can expect from LLM-generated code and how the security level compares to humans.

We find that popular LLMs generate code that is less secure than code written by human programmers. LLMs often replicate common vulnerability patterns and, in some cases, introduce additional security issues. Our results contradict a previous study on a similar, albeit smaller dataset.

Markus Toran

Fraunhofer SIT; ATHENE

Bettina Ballin

Marc Miltenberger

Fraunhofer SIT; ATHENE

Germany

Steven Arzt

Fraunhofer SIT; ATHENE

Germany

Time Zone

The program is currently displayed in (GMT-03:00) Brasilia, Distrito Federal, Brazil.

Use conference time zone: (GMT-03:00) Brasilia, Distrito Federal, BrazilSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Sat 18 Apr
Displayed time zone: Brasilia, Distrito Federal, Brazil change

16:00 - 17:30	SVM Paper Session 2SVM / EnCyCriS at Europa II Chair(s): Triet Le Adelaide University

16:00 20m Talk		LLMs in Code Vulnerability Analysis: A Proof of Concept SVM Shaznin Sultana Ohio University, Sadia Afreen University of Cincinnati, Nasir Eisty University of Tennessee-Knoxville
16:20 20m Talk		Q&AEval: Benchmarking Secure Coding Ability of LLMs on Real-World Tasks SVM Markus Toran Fraunhofer SIT; ATHENE, Bettina Ballin , Marc Miltenberger Fraunhofer SIT; ATHENE, Steven Arzt Fraunhofer SIT; ATHENE
16:40 20m Talk		Process-based Indicators of Vulnerability Re-Introducing Code Changes: An Exploratory Case Study SVM Samiha Shimmi Northern Illinois University, Nicholas Synovic Loyola University Chicago, Mona Rahimi Northern Illinois University, George K. Thiruvathukal Loyola University Chicago
17:00 5m Day closing		SVM Closure SVM Triet Le Adelaide University