Recently, GitHub and OpenAI released a technical preview of a new AI tool called Copilot, which sits in the Visual Studio Code editor and automatically completes Code snippets. According to the source, it works best with Python, JavaScript, TypeScript, Ruby, and Go. But it’s also important to note that any generated code should be tested for defects and vulnerabilities.
AI tools that help developers quickly create blocks of code based on semantic cues promise to dramatically reduce programming time, but they also warn of errors and problems, cited code that may be flawed, contain offensive language and may have data security issues.
Copilot can predict how functions are intended to be encoded
Trained on billions of lines of code from GitHub’s Development Services project, the AI tool, known as Copilot, can predict the intent of a function based on comments, docstrings, function names, and whatever code the developer enters. Copilot will complete the entire code block automatically.
GitHub says on its Copilot website that “there is a lot of common code around the world that is not secure with coding patterns, vulnerabilities, references to outdated apis or idioms.” When GitHub Copilot synthesizes code recommendations based on this data, it can also synthesize code that includes these bad patterns.
As the world’s largest code hosting platform, GitHub makes it easy for developers to find quality resources in a timely manner, while also providing opportunities for criminals. Therefore, when code referenced by Copilot or open-source or third-party code and components are used in daily work, it is recommended to perform code security checks in a timely manner to avoid inadvertently introducing vulnerabilities or other security risks.
Copilot may help speed up development
Copilot is based on OpenAI Codex, a new generation learning system that has been trained in English as well as source code from public storage such as GitHub. Entering comments, function names, and variables will allow Copilot to automate the body of the function that is most likely needed, but the system will also provide other possible code blocks.
In tests using Python functions, Copilot guessed the correct content 43 percent of the time, and 57 percent of the time, the correct code block was present in the first 10 results. This service is designed to prove that its agents can act as the other half of the programming team and significantly speed up development.
Current AI applications’ mixed ‘
Based on artificial intelligence (AI) and machine learning (ML) technology to a certain extent, may be able to developers to reduce system vulnerabilities, and to help security analysts to fix problems in classification alarm and faster processing events bring certain contribution, however, early machine learning (ML) systems are often prone to error and backlash against attack.
In 2016, for example, Microsoft launched a chatbot called “Tay” on Twitter. Machine learning (ML) systems try to talk to anyone sending messages online and learn from those conversations. However, a coordinated attack on Tay resulted in the chatbot being completely “corrupted” by humans in less than 24 hours, turning it into a slap-mouthing racist and forcing Microsoft to take it offline.
This example shows that training a machine learning (ML) algorithm with input from an untrusted Internet can lead to unexpected results. GitHub also said that Copilot is still in its early stages and that security will be a priority in the future.
In response to an interview, GitHub said: “It’s still early days and is working to include GitHub’s own security tools and to exclude unsafe or low-quality code from the training set, as well as some other mechanisms that will be shared in the future.”
Security issues need to be addressed
GitHub Copilot tries to understand the user’s intentions and generate the best code possible, but the code it suggests may not always work, or even make sense. The code that Copilot recommends also needs the same careful static code security checks as any other code.
The field of ARTIFICIAL intelligence has grown rapidly in recent years, with the number of research papers focused on AI security and published online jumping to more than 1,500 in 2019 from 56 three years earlier. With more products coming out, systems like Copilot are easy targets for cyber attackers. In November 2020, MITRE teamed up with Microsoft and other tech companies to create a dictionary of potential counter-attacks against AI/ML systems, with plenty of examples of real attacks.
Moreover, insecure code is not the only concern. Personal data inadvertently posted on GitHub can be included in the code output, although this was rarely found in system tests. Copilot is a tool, not a substitute for good coding habits.
Developing good coding habits in daily work can reduce the hidden dangers left in software development, avoid the waste of resources, reduce the cost of software maintenance, and make the entire software system more vitality.
Reference link:
www.woocoom.com/b021.html?i…
Beta.darkreading.com/application…