The Dark Side of Large Language Models: Uncovering and Overcoming of Code Vulnerabilities
As the use of AI in cybersecurity continues to grow, many researchers have looked to large language models (LLMs) to help identify vulnerabilities in code. However, recent studies have shown that LLMs may not be as effective as initially thought, and can even introduce new vulnerabilities into code. This talk will explore the potential risks and challenges associated with using LLMs for vulnerability detection, including the potential for introducing new vulnerabilities into code.
Javan works as a Senior Application Security Specialist at Sage and supports software development teams in securing the software development life cycle. On the side he is lecturing Secure Coding at DHBW University, Germany. His journey as an ethical hacker began at an early age, where he began to automate online games using bots and identified security bugs, which he then reported to the game operators. He later turned his interests into his profession and became a security consultant. He brings experience as a penetration tester and holds certifications, such as GXPN, CISSP, CCSP and CSSLP, as well as a Master's degree in IT Security Management. Javan has presented before at conferences such as OWASP AppSec SanFran, Ekoparty, and HITB Singapore.
One example of this is the recent introduction of GitHub Copilot, an AI-powered tool that generates code based on natural language prompts. While Copilot has been hailed as a revolutionary tool for developers, it has also been found to produce code with vulnerabilities, highlighting the potential risks associated with using LLMs for vulnerability detection.
In this presentation, we will showcase instances of AI-generated vulnerabilities, despite the recent incorporation of Copilots' “AI-based real time vulnerability filtering system”. However, we will also delve into the ways in which AI prompt engineering can be tailored to address this problem and emphasize the significance of secure coding practices. We will also discuss the importance of carefully validating the output of LLMs and conducting manual code reviews to ensure that any vulnerabilities introduced by LLMs are identified and addressed.
Additionally, we will review recent research in the area of AI-based vulnerability detection. By the end of this talk, attendees will have a better understanding of the benefits and limitations of AI-based vulnerability detection as well as code generation and will be able to make informed decisions about when and how to incorporate these tools into their own security review and software development practices.