Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns

TL;DR

This study explores how software professionals use AI assistants like ChatGPT and Copilot in secure development, revealing widespread use despite security concerns and highlighting the need for improved AI security features and critical evaluation practices.

Contribution

It provides qualitative insights into security practices and concerns of professionals using AI assistants, an area previously underexplored in empirical research.

Findings

Professionals use AI for security-critical tasks despite security concerns.

Participants check AI suggestions similarly to human code review.

There is an expectation of future increased use of AI in security tasks.

Abstract

Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on secure software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Their overall mistrust leads to checking AI suggestions in similar ways to human code, although they expect improvements and, therefore, a heavier use for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, AI creators to improve suggestion security and capabilities for ethical security tasks, and academic researchers to consider general-purpose AI in software development.