by Florian Haßler and Yvonne Marneth, BSc
The rapid development of artificial intelligence (AI) has revolutionized software development and opened up new horizons. In the pursuit of efficiency and innovation, companies are already increasingly relying on the integration of these technologies to improve their products, speed up the development process and offer their customers unique solutions.
Automated processes make it possible to bring products to market faster and benefit from new opportunities. AI-driven tools speed up tasks such as code analysis and bug fixing, allowing development teams to work more efficiently and deliver products sooner.
Alongside the benefits that AI brings, there are also growing concerns – particularly with regard to data protection and security. The question of intellectual property also arises, particularly in relation to automatic code generation and the potential unwanted use of licensed code bases or algorithms.
Given today’s challenging data protection landscape, it is crucial to take these concerns seriously and take proactive measures to ensure the integrity and confidentiality of data. In particular, trade secrets or other sensitive information that may be contained in code must be protected, as a breach could put not only the company itself but also other partners or end users at significant risk.
Various types of AI tools are available to software developers for code generation. These include IDE plugins such as Copilot, which are directly integrated into the development environment and offer real-time coding suggestions, as well as web interfaces that provide AI-supported help via browser-based platforms. In addition, there are CLI and API-based tools that allow developers to programmatically access AI functions and integrate them into their workflows. Each of these variants has its advantages and disadvantages.
An example of an AI tool in software development is Github Copilot. The tool is directly integrated into the most popular development environments (Jetbrains and Visual Studio Code), analyzes the currently visible source code and, similar to IntelliSense, makes coding suggestions and completes functions. It supports various programming languages such as JavaScript/TypeScript, Java/Kotlin, Python, Go, C#, C++ and many more. In addition, it has a chat function and thus eliminates the need to visit the web interface of OpenAI’s chat GPT.
The actual use of AI tools in software development varies depending on the preferences and requirements of individual developers. Some choose a sporadic approach, using AI tools occasionally to solve specific problems or get new ways of thinking, others integrate AI tools continuously into their workflow and receive ongoing suggestions and support. However, there are also developers who consciously choose not to use AI tools and rely on traditional methods instead.
At RISC Software GmbH, we specifically use AI tools to optimize our development processes. By integrating various tools into our workflows, we can not only work more efficiently, but also accelerate the development of high-quality software products.
Data protection and data security are of crucial importance in a company like RISC Software GmbH, which implements both research and customer projects. Data security has top priority! Especially when using AI tools in software development, it must be ensured that data protection regulations are complied with and that the confidentiality of our customers’ data is maintained at all times.
Although GitHub is ISO-certified in many areas, this does not yet apply to the Copilot coding assistant. There is currently a lawsuit against Microsoft because allegedly GPL-protected code has appeared in code generated by Copilot[1]. Although it is generally assumed that machine-generated code is not a derivative work[2], and it can also be assumed that most generated source codes do not give rise to copyright conflicts, Gitlab has reacted and offers the automatically active feature in the business version: Blocks suggestions matching public code. In the associated FAQ article, it is admitted that generated code can match code in the training set and therefore a filter is now added downstream that blocks the response in the event of matches with public code in GitHub repositories[3].
According to the GitHub Copilot Trust Center[4], GitHub does not use data from Copilot Business or Copilot Enterprise to train its models. In addition, input and suggestions created by the IDE chat or code completion are not saved.
By default, ChatGPT uses the approach of letting its models learn from the data entered. This can be seen from the FAQs: […]we may use your content to train our models[…][5] However, users can opt out via the data protection portal to prevent their content from being used to train the models. However, for business customers in the ChatGPT Team or ChatGPT Enterprise model, content is not used to train the model.
On April 30, 2024, creative region held a lecture on the topic of “AI & copyright law”[6]. The lawyer Markus Gaderer, LL.M., spoke about data security in a personal discussion following the lecture and explained that the use of AI tools will also be so commonplace in software development in three to five years’ time that nobody will worry about it anymore.
The use of code generation in software development makes it possible to generate large amounts of code in a short space of time. However, more code does not automatically mean higher productivity. Shorter and clearer implementations primarily facilitate quality assurance measures such as code reviews and reduce the likelihood of errors in complex structures being overlooked, which could otherwise cost a lot of time at a later stage.
Generated code can introduce security vulnerabilities unnoticed, especially because language models are often based on outdated versions of libraries. These models often do not take known vulnerabilities into account, which creates potential attack vectors. Without targeted security checks, the uncontrolled use of generated code increases the risk of security problems.
LLMs have no way of checking the generated code for reliability and functionality. Large amounts of code also increase the “churn”, i.e. the proportion of lines of code that are changed or replaced shortly after they are created, which can lead to greater complexity in the long term or break existing functionality. Another major problem is the hallucination of language models, which also design algorithms that only work partially or not at all. In addition, they learn mainly from publicly available code, where there are no or only very inconsistent benchmarks for comprehensible, secure and efficient code.
The detailed and extensive documentation of code is often neglected in practice due to time constraints and is traditionally not one of the most popular tasks for developers. This is where language models can help to create better documentation in a very short space of time in order to support the traceability of the code created.
Tests, especially unit tests, are often not implemented in detail due to time pressure. Language models can also help here by suggesting test cases or generating unit tests. This can relieve developers so that they can concentrate on feature development while at the same time increasing code quality.
Das Modell soll den Entwickler unterstützen und nicht umgekehrt. Alles, was unter dem eigenen Namen in einer Code-basis eingeführt wird, sollte behandelt werden, als wäre es selbst geschrieben.
Große Mengen an Codezeilen sind schwieriger zu überprüfen, was dazu führt, dass Fehler und Sicherheitsrisiken leichter übersehen werden. Es kann sich auszahlen komplexe Algorithmen oder große Features schrittweise aufzubauen.
Einheitliche Standards helfen, neuen Code schneller zu überprüfen. Dazu können Linter verwendet werden, um Code-Stil und Syntax zu vereinheitlichen und (automatisierte) Review-Prozesse können die Verständlichkeit & Zuverlässigkeit sicherstellen.
Mithilfe von automatisierten Tools können bereits viele Probleme abgefangen werden und Qualitätsstandards mit wenig Zeitverlust sichergestellt werden. Dazu eignen sich besonders statische Code-Analysen, Dependency-Checks etc. und deren Implementierung in Pipelines.
Nicht alle Probleme können automatisiert mit statischen Analysen abgefangen werden. Vor allem, was Funktionalität und User Experience angeht, benötigt es oft eine gute Abdeckung mit Unit Tests und die Einbindung von QA-Teams wo notwendig.
[1] https://githubcopilotinvestigation.com or
https://forum.eu/technologie-gesellschaft/gerichtsverfahren-gegen-github-copilot-wegen-ai-piracy
[2] https://netzpolitik.org/2021/edit-policy-githubs-ki-copilot-ist-keine-urheberrechtsverletzung
[3] https://docs.github.com/de/copilot/github-copilot-chat/about-github-copilot-chat
[4] https://resources.github.com/copilot-trust-center/
[5] https://help.openai.com/en/articles/6783457-what-is-chatgpt
[6] https://events.factory300.at/events/1415353737/ai-and-recht
Software Engineer
Software Developer
