Far too risky without rigorous oversight, concludes security researcher ‘0xabad1dea’ after documenting a trio of security vulnerabilities generated by AI pair programmer GitHub Copilot during a risk assessment.
GitHub Copilot is designed to accelerate software development by suggesting entire lines and functions, adapting to developers’ coding style as it does so.
Trained on billions of lines of code publicly available on GitHub, the machine learning tool is currently in a trial phase and available for testing as a Visual Studio Code extension.
0xabad1dea says Copilot sometimes generates code that is “so obviously, trivially wrong that no professional programmer could think otherwise”.
More alarmingly still, it also suggests “bad code that looks reasonable at first glance, something that might slip by a programmer in a hurry, or seem correct to a less experienced coder”.
GitHub admits that “the code it suggests may not always work, or even make sense”, but adds that “it’s getting smarter all the time”.