Update docs/Security-Focused-Guide-for-AI-Code-Assistant-Instructions.md

Co-authored-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>

Author: balteravishay

docs/Security-Focused-Guide-for-AI-Code-Assistant-Instructions.md

@@ -29,6 +29,7 @@ One of the first sections in your instructions should reinforce general secure c
 * **Call out and review stubbed code:** If the AI generates code that is stubbed or incomplete, instruct it to flag these areas for review. For example: *"If you generate placeholder code (e.g., `TODO` comments), ensure it is marked for security review before deployment".* This will help ensure that any incomplete code does not inadvertently introduce vulnerabilities. [[19]](#19) [[20]](#20)
 * **Data Protection:** When generating code, always prioritize data minimization and avoid storing or processing confidential or otherwise sensitive information (like personal data - PII) unless absolutely necessary. For that case, suggest strong encryption at rest and in transit, and recommend techniques like anonymization. For example: *"Generate a function that securely handles user input for a registration form, asking for necessary fields to avoid logging sensitive information of PII. Ensure that no sensitive or PII is stored in plaintext"*. [[21]](#21)
 
+Note that we are *not* currently recommending in the general case that the AI be told to respond from a particular viewpoint (e.g., a role or persona) or character aka "persona pattern/memetic proxy". An example of this approach would be the instruction "Act as a software security expert. Provide outputs that a security expert would give." One set of experiments found that this approach performs poorly, producing the worst number of security weaknesses compared to other approaches. [[51]](#51) However, we encourage continued experimentation, and may change our recommendations based on future information.
 ---
 
 ## **Addressing Software Supply Chain Security**