Subscribe
|

Microsoft Patent Highlights Weaknesses in Code Generators

AI-powered coding has emerged as one of the best use cases for the powerful foundational models.

Photo of a Microsoft patent
Photo via U.S. Patent and Trademark Office

Sign up to get cutting-edge insights and deep dives into innovation and technology trends impacting CIOs and IT leaders.

Nat Rubio-Licht The Daily Upside

Nat Rubio-Licht

Code generators have their issues, and Microsoft is developing a tool to hunt them down. 

The tech giant filed a patent application for “mitigating third-party code vulnerabilities in AI-assisted code generation,” tech designed to track down vulnerabilities in code imported from libraries. 

While AI models can be helpful in reducing the time it takes to write code, the models are trained on static data that may not reflect updates to code libraries, such as patches applied to third-party packages after the model was trained, Microsoft said in the filing. “As a result, the model may suggest the use of outdated or vulnerable versions of third-party packages,” the filing noted. 

When a large language model is used to generate code, Microsoft’s tech protects against vulnerabilities with a middleware layer that provides a filter between the model and the user. 

This layer intercepts the generated code, parses out any references to third-party packages, and compares the ones used to a list of “certified” packages, or ones that are safe, approved and free of known vulnerabilities. If an uncertified package is found, it’s either redacted from the code or replaced with a certified alternative before being sent back to the user. 

AI-powered coding has emerged as one of the best use cases for the powerful foundational models that Big Tech firms are creating, with so-called “vibe coding” opening the door for less tech-savvy people to try their hand at development. 

But Microsoft’s patent signals a major issue that developers are facing as they utilize these tools: Accuracy. A recent study from application security firm Veracode found that only 55% of code generated with AI tools is free of known vulnerabilities. 

And as companies seek to keep up with the rapid pace of competition, security tends to be deprioritized, with many firms knowingly releasing insecure code to meet delivery deadlines. Microsoft’s tech may provide a much needed layer of protection as enterprises continue to up the ante. 

Smart, actionable news trusted by millions.

Our flagship newsletter delivers smart news and analysis on finance, and investing — all for free

Recent News

Sign Up for CIO Upside to Unlock This Article
Cutting-edge insights into technology trends impacting CIOs and IT leaders.