ravenscroftj
/
brainsteam.co.uk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update thumbs
Deploy Website / build (push) Successful in 20s Details

This commit is contained in:
James Ravenscroft 2025-02-12 11:43:12 +00:00
parent 2712c7040e
commit 74dcdda7e6
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
brainsteam/content/posts/2025/02/ai-code-assistant-curl-ssl.md
View File

@ -1,13 +1,14 @@
---
title: "Getting AI Assistants to generate insecure CURL requests"
date: 2025-02-12T07:48:54Z
date: 2025-02-12 07:48:54+00:00
description: Testing AI code assistants willingness to generate insecure CURL requests
url: /2025/2/12/ai-code-assistant-curl-ssl
type: posts
preview: /social/aeb9482b075cca78c571ab1b45b6e7311bad8ddfa37e5253275fe397d615f106.png
tags:
- softeng
- security
- infosec
- softeng
- security
- infosec
title: Getting AI Assistants to generate insecure CURL requests
type: posts
url: /2025/2/12/ai-code-assistant-curl-ssl
---
I recently read [Daniel Stenberg's blog post about the huge number of curl users that doesn't check TLS certificates out in the wild](https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/) and fired off a glib 'toot' about how AI assistants will probably exacerbate this problem. I decided to try out some top AI assistants and see what happens.
@ -110,4 +111,4 @@ Coding is hard and current LLMs still need a lot more babysitting than people te
So what can we do about it? Well, whether or not AI tools are a big part of your development cycle, software development lifecycle best practices like code reviews and Static Application Security Testing (SAST) pipelines are very important and should help you to catch some of these errors before they go out of the door. Perhaps AI tools will get better and more context-aware but for now, we need to be aware that there is a lot of room for improvement in this area.
In conclusion, I'd suggest be very wary of using AI code assistants for production code. Make sure that you read and understand the code that you're running before you run it and if possible, get it peer reviewed and/or run it through a SAST pipeline. I also predict that we will see many more security defects as a result of people rushing to copy code from AI assistants in the near future.
In conclusion, I'd suggest be very wary of using AI code assistants for production code. Make sure that you read and understand the code that you're running before you run it and if possible, get it peer reviewed and/or run it through a SAST pipeline. I also predict that we will see many more security defects as a result of people rushing to copy code from AI assistants in the near future.