AI Coding: Match Tools to Developer Skill
Two flavours of AI coding assistants are emerging that bring different security implications.
There is the "inside-out" approach (like GitHub Copilot) and the "outside-in" method (such as Aider). Each offers a unique creative experience but differs in risk profile and developer fit.
Copilot is like a digital sketchpad. It lives in your familiar code editor, ready to help you jot down function bodies, generate sample data, or craft well-written comments. It's like having a helpful colleague peering over your shoulder, offering suggestions as you work. Quick, iterative, and contained.
Aider, on the other hand, is more like an AI architect ready to implement your ideas - whether well-considered or rushed. It exists outside your editor, in a terminal window with a chat interface. You describe the grand vision, and it starts drafting entire projects or major features. It's powerful and comprehensive but requires a skilled and methodical hand to guide it effectively.
From a security standpoint, Aider's broad scope requires the developer to navigate a greater sphere of control. Consequently, it demands significantly more expertise and attention to handle. You need strong domain knowledge to quickly assess larger amounts of generated code and vigilant attention to ensure application security controls don’t get lost (or unit tests changed) during code refactoring. It's like reviewing a complex blueprint - you need to understand the entire structure - and the generated fill-ins to spot potential gaps or weaknesses.
For junior developers, Copilot's editor-like approach reduces the risk of introducing large-scale vulnerabilities. But with Aider, a less experienced developer might generate an impressive-looking codebase, only to discover significant structural flaws during inspection. This isn't fair on the junior developer and isn't smart commercially or from a risk perspective.
The key? Match your AI tools to your team's expertise. Implement appropriate guardrails. And remember, whether you're sketching or blueprinting, your application software security tooling and processes are now more important than ever.
If you're deploying AI code assistant where you work, what factors are you weighing up?
Cheers, Craig