How Secure is Secure Code Generation? Adversarial Prompts Put LLM Defenses to the Test
Melissa Tessa, Iyiola E. Olatunji, Aicha War, Jacques Klein, Tegawendé F. Bissyandé
TL;DR
The paper tackles the problem that secure code-generation methods often report strong security under separate, non-unified benchmarks. It presents the first adversarial audit of three leading methods (Sven, SafeCoder, PromSec) under realistic prompt perturbations and evaluates security and functionality jointly using CodeSecEval. Static analyzers overestimate security by large factors, and a substantial fraction of outputs labeled secure are non-functional, with true secure-and-functional rates dropping to as low as $3\%$ to $17\%$ under attack. The results motivate best practices, including explicit threat models, adversarial robustness testing, unified joint evaluation, consensus-based validation, robust reporting, calibrated LLM judges, and a shift toward semantic security reasoning. Together, these contributions highlight the need for rigorous, deployment-oriented evaluation standards to ensure that secure code-generation methods deliver trustworthy code in real-world software supply chains.
Abstract
Recent secure code generation methods, using vulnerability-aware fine-tuning, prefix-tuning, and prompt optimization, claim to prevent LLMs from producing insecure code. However, their robustness under adversarial conditions remains untested, and current evaluations decouple security from functionality, potentially inflating reported gains. We present the first systematic adversarial audit of state-of-the-art secure code generation methods (SVEN, SafeCoder, PromSec). We subject them to realistic prompt perturbations such as paraphrasing, cue inversion, and context manipulation that developers might inadvertently introduce or adversaries deliberately exploit. To enable fair comparison, we evaluate all methods under consistent conditions, jointly assessing security and functionality using multiple analyzers and executable tests. Our findings reveal critical robustness gaps: static analyzers overestimate security by 7 to 21 times, with 37 to 60% of ``secure'' outputs being non-functional. Under adversarial conditions, true secure-and-functional rates collapse to 3 to 17%. Based on these findings, we propose best practices for building and evaluating robust secure code generation methods. Our code is available.
