A developer used GitHub Copilot to build a browser-based COBOL IDE with zero prior COBOL experience, and it worked impressively well. However, reading the generated code revealed a critical remote code execution vulnerability: user-submitted COBOL was compiled and run directly on the server with no sandboxing. Copilot never flagged the security issue unprompted, but identified it clearly when explicitly asked. Three remediation approaches are discussed — Docker container isolation, syscall filtering, and compiling COBOL to WebAssembly for client-side execution. The key takeaway is that AI coding tools build what you describe, not what is safe to deploy; the judgment to ask the right security questions still requires a developer in the loop.
Table of contents
Copilot and COBOL, The Unnatural Marriage“Surely It Can’t Write COBOL”And Then I Actually Read the CodeThe Fix a Developer Actually MakesThe Empire Strikes Back, But Not Alone1 Comment
Sort: