π€ AI Summary
This study addresses the lack of developer-centered empirical evidence on how AI code assistants influence the secure use of APIs. Through a controlled user study involving 44 professional developers completing security-critical programming tasks with and without GitHub Copilot, the authors systematically evaluate its impact on functional correctness and security. Combining code analysis with developer interviews, they find that Copilot significantly improves functional correctness and modestly reduces certain unsafe coding patterns, yet it does not substantially enhance the correct usage of security-sensitive APIs. Notably, most developers, even when assisted by AI, remain unaware of security flaws in their code, revealing critical cognitive blind spots. These findings highlight the limitations of current AI-assisted programming tools in promoting secure coding practices and provide empirical grounding for future tool design and developer education initiatives.
π Abstract
AI code assistants are transforming software development, but their implications for software security remain a major concern, particularly in the context of security APIs. These APIs are critical for safeguarding software systems, yet their complexity often leads to incorrect use and serious vulnerabilities. Developing an evidence-based understanding of how AI assistants influence developers' use of these APIs is therefore essential for informing effective mitigation strategies. While a few user studies have examined the broader impact of AI assistants on software vulnerabilities, the use of security APIs remains unexplored from a developer-centered perspective. This study addresses this gap by presenting the first empirical investigation into how AI code assistants affect professional developers' use of security APIs. We conducted a study with 44 developers who completed security API programming tasks with and without GitHub Copilot assistance. Our findings show that, while Copilot improves functional correctness and marginally reduces certain insecure patterns, it does not significantly improve secure API usage. We also found that developers rarely raised security concerns when engaging with Copilot, and many did not recognize that their final implementations remained insecure. Finally, we offer recommendations for enhancing security awareness among developers and propose future research directions to support safer AI-assisted software development.