Developers are increasingly relying on generative AI (GenAI) tools throughout the software development lifecycle, including for security-relevant tasks. While these tools may improve productivity, they can also amplify insecure patterns, overconfidence, and cognitive offloading. We investigate how frequently industry developers use GenAI, what limitations they encounter, and how they perceive AI-assisted secure code review. We conducted a multi-site study embedded in nine secure-coding training workshops using the ASCEND platform, followed by an immediate post-task survey (84 responses; 69 analyzed qualitatively). Results show high but uneven GenAI adoption across experience levels and broadly positive perceptions of Large Language Model (LLM) support for vulnerability identification and review robustness, including among occasional users. However, participants report challenges when using LLMs for coding, most prominently code quality concerns (36.23% of respondents) and context limitations (34.78%), as well as hallucinations, productivity pitfalls, and prompting difficulties. Based on thematic analysis and industrial experience, we derive four complementary strategies for responsible adoption, targeted training, careful model selection and configuration, mandatory human review, and integration of automated security testing. We translate these findings into actionable recommendations for developers, tool builders, and technical leaders.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Is This Mission Possible? A Study on Developer Challenges in Using Generative AI for Secure Software Development in Industry

  • Sathwik Amburi,
  • Tiago Gasiba,
  • Tobias Fertig,
  • Ulrike Lechner,
  • Maria Pinto-Albuquerque

摘要

Developers are increasingly relying on generative AI (GenAI) tools throughout the software development lifecycle, including for security-relevant tasks. While these tools may improve productivity, they can also amplify insecure patterns, overconfidence, and cognitive offloading. We investigate how frequently industry developers use GenAI, what limitations they encounter, and how they perceive AI-assisted secure code review. We conducted a multi-site study embedded in nine secure-coding training workshops using the ASCEND platform, followed by an immediate post-task survey (84 responses; 69 analyzed qualitatively). Results show high but uneven GenAI adoption across experience levels and broadly positive perceptions of Large Language Model (LLM) support for vulnerability identification and review robustness, including among occasional users. However, participants report challenges when using LLMs for coding, most prominently code quality concerns (36.23% of respondents) and context limitations (34.78%), as well as hallucinations, productivity pitfalls, and prompting difficulties. Based on thematic analysis and industrial experience, we derive four complementary strategies for responsible adoption, targeted training, careful model selection and configuration, mandatory human review, and integration of automated security testing. We translate these findings into actionable recommendations for developers, tool builders, and technical leaders.