Trustwave SpiderLabs tested how well ChatGPT performs basic static analysis on snippets of vulnerable code. The finding: OK on basic stuff, but not so impressive on slightly more challenging stuff. Specifically, ChatGPT struggled with:
-- Code execution in certain languages. ChatGPT made quick work of simple buffer overflow and JavaScript examples but did not initially identify issues in more complex code or for more novel vulnerabilities.
-- Line-by-line breakdown with context of the methods used in vulnerabilities and their parameters.
-- Interpreting the human thought processes behind code, the biggest flaw when it comes to using ChatGPT to analyze security risks.
My initial take as a reoirter is . . . meh, but I'm curious to know what others think.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-the-right-tool-for-the-job/
To @jacob 's point regarding AI writing vulnerable code: historically (IMHO) even security/cryptographic code examples written by humans are not fit for production because they usually omit important handling steps or error code for clarity/brevity. An example to show how something works does not take the place of proper design of how to integrate something (yet the cut-and-paste mindset persists).
Classic examples (pun intended) are hard-coded initialization vectors in encryption examples and proliferation of implicit grant usage in OAuth2 examples.
An example of how to call a crypto API is not a lesson in correct key management and IV selection, nor is the simplest OAuth2 use-case designed to educate on the design rationale behind the authorization code grant model and its security benefits.
@john_philip_bell @dangoodin @jacob
I'd love to see a tool that is trained to spot known vulnerabilities.
