WildCode Revisited: A Comprehensive Empirical Study on the Security of LLM-Generated Code
For developers and security practitioners, it confirms that LLM-generated code in real-world use is often insecure, but the finding is incremental.
This study empirically analyzes real-life ChatGPT-generated code for correctness and security, finding it frequently insecure, supporting earlier synthetic studies. Users rarely ask about security.
LLM models are increasingly used to generate code, but the quality and security of this code are often uncertain. Several recent studies have raised alarm bells, indicating that such AI-generated code may be particularly vulnerable to cyberattacks. However, most of these studies rely on code that is generated specifically for the study, which raises questions about the realism of such experiments. In this study, we perform a large-scale empirical analysis of real-life code generated by ChatGPT. We evaluate code generated by ChatGPT both with respect to correctness and security and delve into the intentions of users who request code from the model. We further performed an experiment to evaluate the effectiveness of common prompt engineering strategies using real-life prompts. Our study supports earlier research that employed synthetic queries and produced proof that LLM-generated code is frequently insufficient in terms of security. Additionally, we observe that users don't ask many questions about the security characteristics of the code they ask LLMs to provide.