AI, LLM create unsecure software

First: AI, LLM are a very powerful tool for software developers. 

The following lines will indicate a limit of LLM in software development. 

So you aware of it and can handle it right. 

I found this problem by incident. LLM like qwen3-coder:30b generating code that uses outdated libs and frameworks containing CVE's. 

 

Conclusions 

1.  LLM's are not perfect writing code but don't drop it.
2. Many (Most, All) LLM's living in the past.
3.  LLM's  generate projects with outdated vulnerable dependencies. Be aware of it.  This will time problem will affect all ideas the LMM is generating.

Test

 The task: create a Spring Boot web app with qwen3-coder:30b (ollama, aider) 

1. pom.xml contains Spring Boot Starter Parent 2.7.0, uh that's a little bit outdated
2. Release date was May 19, 2022
3. contains at least 10 CVEs
4. Select Java 11 

Ok, I give a helping hand 

1. Task: create a spring boot web app, spring boot 4 
2. pom.xml contains Spring Boot Starter Parent 3.2.0, uh that's a little bit less outdated
3. Release date was November 23, 2023
4. contains at least 2 CVEs
5. Select Java 17

Looks that the model is living in the past, at least 2 years. So I give are more modern model a try: qwen3.6:27b 

1. Task: create a spring boot web app, spring boot 4  
2. pom.xml contains Spring Boot Starter Parent 3.3.0, best I can get but still far away, gives me a hint to 4.0.0-M1 
3. Release date was May 23, 2024 
4. contains at least 7 CVEs 
5. Select Java 17 

 

Expect the Unexpected: Some Words about Errors

     For all ‘Happy Path’ developers, proper error handling is a fundamental feature of software, and it is quite possible that error handling is for half of your code.

 

Expect the unexpected: not all English postboxes are red. This Victorian one stands in Dublin.

 

There two types of errors:

• Retryable Error
• Permanate Error

Retryable error: a temporary issue has occurred. a retry is likely successful. Example causes: firewall reboot, db maintenance, HTTP 5XX.

Permanent error: error where a retry will always end-up with an error. Example: HTTP4XX, NPEs (Null Pointer Exceptions).

After a retry sequence, Retryable errors should become permanent errors.

And at last, don’t forget Logging and Monitoring of errors.

Will AI aka LLM replace Software Developers?

Question

Will AI aka LLM replace Software Developers?

Short answer 

No. The rising of LLM will increase the demand of software developers. 

 

 

Longer Answer

A LLM can generate text based on the training data. That's brilliant if you  doing you homework or writing a message a teacher (South Park episode "Deep Learning"). If you search for information, LLM are brilliant, comparing things, aggregate information that the jobs LLM can help you a lot.

 But Coding, writing software; is not writing text. If you want to learn a programming language, a LLM is great. If you searching for boiler plate code or a strange configuration property, LLM is my tool of choice. That's not coding. That's a advancment over Google or Stack Overflow. A LLM can improve autocomplete in my IDE (Kai Lentit on Y). LLM can't write software that is correct, that is fast, that is reliable, that is save, that is robust, that you and your business can rely on. So far, LLM has never been able to handle any programming task for me that went beyond the beginner level. And believe me, I tried it hard and I found out this a general limitation of LLM. I can explain it, but it's an other story.

LLM is great of doing Bullshit jobs. It will free people for better jobs. LLM increase the efficiency of software development in general. 

LLM is a good new tool, but a fool with a tool is still a fool, with brand new legacy code. LLM is a just a tool like Excel or the Internet, LLM is just a high sophisticated tool (2026). 

 

Summary

1. LLM increase the software development efficiency
2. LLM lower the entry level for software development
3. IMHO LLM will create a Rebound Effect on software development
4. LLM will help to create more Software faster
5. Software Developper will be more important than before. 

 

How to Fix NPEs forever

Null is biggest flaw of Java, saying some developers. Null causes NPEs causes crashing software. IMHO this is the same vibe as C vs Rust and I totally disagree. Crashing software is caused by developers and not by the programming language.

The easiest and best way to prevent NPEs is … proper exception handling. It is as simple as it sounds.

Bye the way, NPEs are often a side effect of OOP. All Objects are unsafe until you checked them. But checks are unsafe so go with exception handling.

 

 

Increase resilience: Decouple external system calls

For most software companies resilience means that the replication factor is 2 or higher.

 

Well that's far from good. You resilience is still bad as with two instances of your weak micro service. 

One way to increase the internal resilience of your service is to decouple external service calls. This  includes Data Base operations, Kafka, HTTP. For HTTP calls it is very common and most developer understand that this HTTP calls can go wrong but Data Base calls, yes all external services are running over a network, firewall, load balancer, switches, ... So it's a good idea to make all external call more resilient:

1. Put the external calls into own treads. This keeps your application running in case of an error or time out.
2. And have a time out or watchdog on it. By the way, Java futures are a easy way to do it.
3. Check the results also for write operations. 
4. Extend logs and monitoring to recognize external call errors.

Complex vs Complicated Code

 There many definitions what is the difference between complex (weather, stock market) and complicated systems (airplane, car). For code, I'm not using the ambiguous term software, for code I will go with my own definition.

Complicated code is a huge amount of code. The LOC metric is a good indicator of how complicated code is.

 

Complex code has a huge amount of execution paths. The cyclomatic complexity, or rather the cognitive complexity are a good indicator of how complex the code is. Spagetti Code is complex code. Code complexity is one code quality characteristic.

The metrics listed above are meaningful, easy-to-calculate code metrics. However, it should be noted that it is very easy to create examples where these metrics undoubtedly fail. 

 Try to avoid complex code. Try to replace complex code with complicated code. 

How to simply improve efficiency of software development without costs

It's an often heard, software developer have not enough time for coding. Short look in my calendar reveals that I have at least 20% meetings and I know many developers have much more. So how can I increase the efficiency of coding:

1. Skip useless dull meetings
2. Work only at one item at time and close all tabs and applications you don't need for the current task.
3. Don't switch to often or to fast between topics. I call it: human process trashing, it's a computer analogy of https://en.wikipedia.org/wiki/Thrashing_(computer_science)
4. Regular breaks keep your mind fresh
5. Try to switch between topics after a break like in the morning or after lunch 
6. Don't work overtime 
7. Finishing your tasks before going into weekend 
8. Compensate your sitting time at work with sport

And as Bonus: Writing, reflect and write it down. The important part is writing!