AI-generated code has transformed software development forever. That’s not necessarily good. A solid review process can shrink bloat and attack surfaces. Credit: Brian Yurasits / Unsplash Coding tools like GitHub Copilot can help developers author code 55% faster, according to GitHub. Hurray! Right? Well, maybe not. GitClear analyzed 153 million lines of changed code between January 2020 and December 2023 and now expects that code churn (“the percentage of lines that are reverted or updated less than two weeks after being authored”) will double in 2024. In other words, “Code generated during 2023 … resembles [that of] an itinerant contributor,” as if you hired a short-term contractor more concerned with cranking out verbose code than ensuring its maintainability. Bloated code creates security nightmares, among other issues, as Bert Hubert captures. This isn’t to suggest that developers shouldn’t use AI assistants. Rather, it’s an indication that care must be taken to ensure over-reliance on AI doesn’t make our machines, and the code that runs them, stupid. Everyone is doing it There wouldn’t be much need for concern had generative AI (genAI) not exploded into use last year. With that adoption comes both good and bad, as Datasette creator Simon Willison highlights. “In the past 24–36 months,” he writes, “our species has discovered that you can take a giant corpus of text, run it through a pile of GPUs, and use it to create a fascinating new kind of software.” That software can significantly improve our lives, he continues, if we learn to master it. Fortunately, large language models (LLMs) are “actually quite easy to build,” requiring just a few hundred lines of Python code. The tricky part of LLMs is not the code used to write them, but rather the data used to train them. In 2023 we learned new ways to keep them from going off the rails (“hallucinating”) with retrieval-augmented generation (RAG), and other means. That’s the good. On the bad side of the ledger, we’re also realizing just how flaky they can be. After all, knowing how to prompt an LLM is still a dark art (with no consistency). As Wilison notes, “The things you sometimes have to do to get the models to behave are often incredibly dumb.” This is less true of creating software than of, say, asking ChatGPT to write a term paper. But it’s still true that getting an LLM to do any particular work is an exercise in fiddling with knobs (prompts) to get what you want. The worst part of AI-generated software—and of today’s software in general—is bloat. “The more [code] you have … the more risks you run,” argues Hubert. In some ways, we’ve tried to route around this by making it someone else’s problem to run our software. “Software is now (rightfully) considered so dangerous that we tell everyone not to run it themselves,” says Hubert. The key is to write less code. Leaner software is safer software. “The world ships too much code,” Hubert declares, “most of it by third parties, sometimes unintended, most of it uninspected. Because of this, there is a huge attack surface full of mediocre code.” AI exacerbates the problem. Installing gates Code review, both automated by machines and executed by people, is the answer. One could argue that, sure, coding assistants create bloated, less maintainable code, but AI also minimizes the need for people to maintain it. Sounds acceptable, right? Wrong. The broadened attack surface remains. The answer to this code quality conundrum is arguably the same as it has always been: code reviews. Where code comes from matters less than the process by which development teams push to production. As one of my colleagues put it recently, “Good code is crafted just as much by good process as by good developers.” That process depends on developers not shirking their responsibility to learn the basics of software development. There’s a risk that less-experienced developers will skip over the most difficult software engineering topics like data structures and algorithms, distributed systems, networking, etc. This puts them in a weak position to do effective code reviews. My hope is that developers will both embrace the new opportunities afforded by AI tools while deepening their roots in the essentials that will help them use AI tools effectively and not get used by them. This hope will become reality as development leads insist on robust code reviews, which in turn, raise the bar on those involved in the coding process, be they human or machine. Related content analysis Azure AI Foundry tools for changes in AI applications Microsoft’s launch of Azure AI Foundry at Ignite 2024 signals a welcome shift from chatbots to agents and to using AI for business process automation. By Simon Bisson Nov 20, 2024 7 mins Microsoft Azure Generative AI Development Tools news Microsoft unveils imaging APIs for Windows Copilot Runtime Generative AI-backed APIs will allow developers to build image super resolution, image segmentation, object erase, and OCR capabilities into Windows applications. By Paul Krill Nov 19, 2024 2 mins Generative AI APIs Development Libraries and Frameworks feature A GRC framework for securing generative AI How can enterprises secure and manage the expanding ecosystem of AI applications that touch sensitive business data? Start with a governance framework. By Trevor Welsh Nov 19, 2024 11 mins Generative AI Data Governance Application Security news Go language evolving for future hardware, AI workloads The Go team is working to adapt Go to large multicore systems, the latest hardware instructions, and the needs of developers of large-scale AI systems. By Paul Krill Nov 15, 2024 3 mins Google Go Generative AI Programming Languages Resources Videos