Over the last 2 yrs LLMs have vastly improved their ability to write syntactically correct code, but they haven’t improved in ability to write code without vulnerabilities which is steady at 45% coding tasks with vulns. “Veracode found Java to be the riskiest language for AI code generation, with a security failure rate over 70 percent. Other major languages, like Python, C#, and JavaScript, still presented significant risk, with failure rates between 38 percent and 45 percent. The research also revealed LLMs failed to secure code against cross-site scripting (CWE-80) and log injection (CWE-117) in 86 percent and 88 percent of cases, respectively.”
@Weld I'm very suspicious of there being no relationship between the security pass rate and the syntactic pass rate.
To take Java as an example, the syntax is incorrect iff. the program doesn't compile. That should either count as perfectly safe (as the program never runs) or not safe. But the progress on syntax seems to have no effect on the security check curve!
