Is This Mission Possible? A Study on Developer Challenges in Using Generative AI for Secure Software Development in Industry
摘要
Developers are increasingly relying on generative AI (GenAI) tools throughout the software development lifecycle, including for security-relevant tasks. While these tools may improve productivity, they can also amplify insecure patterns, overconfidence, and cognitive offloading. We investigate how frequently industry developers use GenAI, what limitations they encounter, and how they perceive AI-assisted secure code review. We conducted a multi-site study embedded in nine secure-coding training workshops using the ASCEND platform, followed by an immediate post-task survey (84 responses; 69 analyzed qualitatively). Results show high but uneven GenAI adoption across experience levels and broadly positive perceptions of Large Language Model (LLM) support for vulnerability identification and review robustness, including among occasional users. However, participants report challenges when using LLMs for coding, most prominently code quality concerns (36.23% of respondents) and context limitations (34.78%), as well as hallucinations, productivity pitfalls, and prompting difficulties. Based on thematic analysis and industrial experience, we derive four complementary strategies for responsible adoption, targeted training, careful model selection and configuration, mandatory human review, and integration of automated security testing. We translate these findings into actionable recommendations for developers, tool builders, and technical leaders.