Generative artificial intelligence tools such as ChatGPT and GitHub Copilot are increasingly used in software development to generate code from natural language prompts. While these tools offer productivity and accessibility benefits, they also introduce security risks and raise educational concerns related to how developers learn, retain, and apply secure coding practices. AI-generated code may contain vulnerabilities, unintended logic, or insecure defaults, and uncritical reliance on such outputs can reduce opportunities for reflective learning and skill development, particularly among novice and early-career programmers. This paper presents a structured framework for the secure review of AI-generated code that explicitly supports both security assurance and developer education. The framework is derived from an extensive literature review on AI-generated code security risks and established secure software development standards, notably the OWASP Top 10 and the Common Weakness Enumeration (CWE). It consists of a six-phase review process supported by a practical checklist designed to guide systematic evaluation, encourage reflection on intent and implementation, and externalize expert security knowledge in a form suitable for repeated learning. The framework and checklist were evaluated using scenario-based testing of AI-generated code and validated through an AI-persona-based review representing different development and security perspectives. This validation informed iterative refinement of the artefact and demonstrated its applicability as a structured review and learning instrument. The proposed approach positions secure code review as a reflective and educational activity, contributing to software security education and continuous professional development in AI-assisted programming contexts.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Framework and Checklist for Secure and Reflective Review of AI-Generated Code

  • Peter Idem,
  • Johan van Niekerk,
  • Petrus M. J. Delport

摘要

Generative artificial intelligence tools such as ChatGPT and GitHub Copilot are increasingly used in software development to generate code from natural language prompts. While these tools offer productivity and accessibility benefits, they also introduce security risks and raise educational concerns related to how developers learn, retain, and apply secure coding practices. AI-generated code may contain vulnerabilities, unintended logic, or insecure defaults, and uncritical reliance on such outputs can reduce opportunities for reflective learning and skill development, particularly among novice and early-career programmers. This paper presents a structured framework for the secure review of AI-generated code that explicitly supports both security assurance and developer education. The framework is derived from an extensive literature review on AI-generated code security risks and established secure software development standards, notably the OWASP Top 10 and the Common Weakness Enumeration (CWE). It consists of a six-phase review process supported by a practical checklist designed to guide systematic evaluation, encourage reflection on intent and implementation, and externalize expert security knowledge in a form suitable for repeated learning. The framework and checklist were evaluated using scenario-based testing of AI-generated code and validated through an AI-persona-based review representing different development and security perspectives. This validation informed iterative refinement of the artefact and demonstrated its applicability as a structured review and learning instrument. The proposed approach positions secure code review as a reflective and educational activity, contributing to software security education and continuous professional development in AI-assisted programming contexts.