Skip to main content Skip to navigation

University of Warwick Faculties

"You still have to study" -- On the Security of LLM generated code

Project Overview

This document examines the role of generative AI, particularly large language models (LLMs), in education and software development, emphasizing their use in generating code. It specifically evaluates four prominent LLMs—GitHub Copilot, ChatGPT, CodeWhisperer, and CodeLlama—while investigating the impact of prompt quality on the security of the generated code. The analysis reveals that the effectiveness of LLMs in producing secure code is highly influenced by the prompting techniques employed. Although the initial outputs often contain vulnerabilities, the findings indicate that with optimal prompting strategies, these models can indeed generate secure and reliable code. The document underscores the potential of generative AI in educational contexts, particularly in teaching coding and software development, while also highlighting the need for careful management of prompts to mitigate risks associated with insecure code generation. Overall, it presents a balanced view of the capabilities and limitations of LLMs in enhancing educational outcomes in programming and software security.

Key Applications

Code generation and security analysis using LLMs

Context: Educational context for software development students

Implementation: Case study with 117 prompts applied to different LLMs (ChatGPT, Copilot, CodeWhisperer, CodeLlama) focusing on security vulnerabilities

Outcomes: Improved security of code generation by utilizing effective prompting techniques, with some LLMs achieving close to 100% secure code with manual guidance

Challenges: Initial generation of insecure code; reliance on the quality of prompts; need for user expertise in security practices

Implementation Barriers

Technical Barrier

Initial code generated by LLMs frequently contains security vulnerabilities due to inadequate training data and prompt quality.

Proposed Solutions: Implementing prompt engineering techniques and providing specific guidance to improve code security.

Educational Barrier

Students may overly rely on AI-generated code without understanding security practices, leading to insecure code.

Proposed Solutions: Educating students on secure coding practices and the importance of prompt quality when using AI tools.

Project Team

Stefan Goetz

Researcher

Andreas Schaad

Researcher

Contact Information

For information about the paper, please contact the authors.

Authors: Stefan Goetz, Andreas Schaad

Source Publication: View Original PaperLink opens in a new window

Project Contact: Dr. Jianhua Yang

LLM Model Version: gpt-4o-mini-2024-07-18

Analysis Provider: Openai

Let us know you agree to cookies

We use cookies to give you the best online experience. Please let us know if you agree to functional, advertising and performance cookies. You can update your cookie preferences at any time.

Cookie policy