Do AI Coding Assistants Make Bad Coders Worse? A Security Evaluation of GitHub Copilot
This paper examines whether the overall security posture of a project affects the quality of the code produced by Copilot. It compares Copilot's output in two distinct environments: one that adheres to secure coding practices and another with known vulnerabilities.
The objective is to determine whether Copilot perpetuates poor practices or adapts to more secure methodologies. The findings provide practical guidance for developers and emphasize strategies such as careful prompt design and secure project scaffolding to help mitigate the risk of introducing vulnerabilities through AI-assisted coding.
sans-Do-AI-Coding-Assistants-Make-Bad-Coders-Worse-Hannaford (PDF, 2.20MB)
11 Jul 2025Related Content
AI-Driven SecOps: Unifying Controls, Automating Response, and Advancing the Modern SOC Using Cortex XSIAM
Research PaperNew research from IDC reveals the tangible business value of rigorous, practitioner-led training from SANS: faster threat detection and response, reduced operational risk, stronger team cohesion, and millions in annual cost savings.
- 29 Jul 2025
- Dave Shackleford
Trust But Verify: Evaluating the Accuracy of LLMs in Normalizing Threat Data Feeds
Research PaperThis paper examines whether Large Language Models (LLMs) can be reliably applied to the normalization of Indicators of Compromise (IOCs) into Structured Threat Information Expression (STIX) format.
- 16 Jul 2025
Dropzone AI Can Make Internal SOC Teams More Effective
Research PaperIn this paper, SANS Certified Instructor Mark Jeanmougin examines how Dropzone AI can integrate into existing security stacks and help SOC teams stay focused on high-impact decisions.
- 17 Jun 2025
- Mark Jeanmougin
AI Hunting with the Cybereason Platform: A SANS Review
Research PaperSANS reviewed Cybereason's AI hunting platform, which offers a lightweight, behavior-focused model...
- 23 Jul 2018
- Dave Shackleford
Applying Machine Learning Techniques to Measure Critical Security Controls
Research PaperImplementing and measuring Critical Security Controls (CSC) requires analyzing all data types...
- 6 Sep 2016