Can you trust generative AI to fix your code?

Applications of AI


Organizations around the world are racing to incorporate AI technology into their cybersecurity programs and tools. A majority of developers (65%) are using or plan to use AI in their testing efforts over the next three years. There are many security applications that benefit from generative AI, but is he one of them to fix code?

For many DevSecOps teams, generative AI is the holy grail to overcoming the growing backlog of vulnerabilities. Well over half of organizations (66%) have more than 100,000 vulnerabilities in their backlogs, more than two-thirds of the results reported in static application security testing (SAST) remain unresolved 3 months after detection and 50% remain unresolved after 363 days. . The dream is for a developer to simply ask his ChatGPT to “fix this vulnerability” and the hours and days spent fixing vulnerabilities become a thing of the past.

In theory, this is not a wild idea at all. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time. AI is very beneficial when applied to simple and repetitive tasks. In practice, however, there are some flaws in applying generative AI to complex code applications. Without human oversight and explicit direction, DevSecOps teams can cause more problems than they solve.

Benefits and Limitations of Generative AI Related to Code Fixing

AI tools can be very powerful tools for simple, low-risk cybersecurity analysis, monitoring, and even remediation needs. Concerns arise when the risks become significant. This is ultimately a matter of trust.

Researchers and developers are still determining the capabilities of new generative AI technologies for generating complex code modifications. Generative AI relies on existing and available information to make decisions. This is useful for translating code from one language to another or fixing known defects. For example, if you ask ChatGPT, “Write this JavaScript code in Python,” you’ll probably get good results. Use it to modify your cloud security configuration, and the relevant documentation for it will be published, easy to find, and easy for AI to follow, which is helpful.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing more complex scenarios for the AI ​​to navigate. AI may provide a “fix”, but should not be trusted without verification. By definition, generative AI cannot create something not yet known and can experience hallucinations that result in false outputs.

In a recent example, a lawyer faced serious consequences after using ChatGPT to help prepare court filings citing six non-existent cases fabricated by AI tools. When AI hallucinates non-existent methods and applies them to writing code, you’re wasting time on “fixes” that don’t compile. Additionally, according to OpenAI’s GPT-4 whitepaper, new exploits, jailbreaks, and new behaviors will be discovered over time, making it harder to prevent. Therefore, careful consideration is required to ensure that AI security tools and third-party solutions are vetted and regularly updated to avoid unintentional backdoors into systems.

Trust or Not Trust?

The rapid adoption of generative AI at the height of the Zero Trust movement is an interesting dynamic. Most cybersecurity tools are built on the idea that organizations should never be trusted, they should always be verified. Generative AI is built on the principle of inherent trust in information available from known and unknown sources. This clash of principles seems like an apt metaphor for the enduring struggle organizations face in finding the right balance between security and productivity, but this struggle feels especially worse now. can be

Generative AI may not yet be the holy grail DevSecOps teams hoped for, but it can help make incremental progress in reducing vulnerability backlogs. At this time, it can be applied to do a quick fix. For more complex fixes, trustworthiness verification methods should be employed that leverage the power of AI based on the knowledge of the developers who write and own the code.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *