Colin Clark’s Post

Non-existent software dependencies hallucinated by LLMs are already being used for successful software supply chain attacks: https://lnkd.in/gqewWC6Y Reported by Bar Lanyado. Note that the payload was non-malicious in this study. One of the companies snared by this experiment was Alibaba. There's been a lot of hand-wringing about fake case citations, but fake software package citations that download a dangerous payload can sink your entire business/government agency/court/etc in an hour.

Shift-left on Security. Good point out on a wave of poorly written vulnerable software using #genAl since it is still a maturing piece of tech. "LLMs write code like software developers write code -- and developers don't write secure code," Veracode Chief CTO and co-founder Chris Wysopal told the audience [at the recent Black Hat USA security conference]." "One reason GenAI writes bad code is that the large-language models are trained on existing code that itself contains a lot of errors. Because of copyright and intellectual-property issues, a large share of the training data is open-source software -- and, as Wysopal said, "Open source ages like milk." To shift-left on #security is to integrate and move testing, quality, and evaluation activities closer to the start of the development lifecycle. This is important as it enables teams to detect and fix issues early on. #securecode #securityvulnerabilities #infosec #cyberrisk #secureSDLC

We’re going to continue to see further investment in automatic remediation of security issues using artificial intelligence. Companies like Snyk and GitHub are investing heavily in this space. I personally think it’s good that we have a way of potentially catching up on the sheer quantity of software bugs we find in our apps. But I’m still a fan of eradicating bug classes using well defined platforms with inherent security properties. Prevention better than the cure, but also AI might make that pill less bitter to swallow. https://lnkd.in/gHTqe3RE

Veracode highlights the security risks of GenAI coding tools. There's going to be more code produced by LLM, and developers are going to trust it more. We need to trust AI less and make sure we're doing the proper amount of security testing https://zurl.co/cUHu

Veracode highlights the security risks of GenAI coding tools. There's going to be more code produced by LLM, and developers are going to trust it more. We need to trust AI less and make sure we're doing the proper amount of security testing https://zurl.co/cUHu

In software engineering, it's often the small concepts that make a big difference. Remembering key terms like PII anonymization can help you solve privacy issues in your next project. Imagine, you are browsing your favourite online store, excited to purchase a product. You provide your credit card information and address, trusting the company to keep your data safe. But what if, a few months later, you receive a notification that the store experienced a data breach? Your personal information is now vulnerable! This scenario highlights the crucial need for PII anonymization. It’s not just about complying with laws. it’s about protecting people. By anonymizing data, companies can analyze trends and improve services without putting individual identities at risk. For More details, check out this link https://lnkd.in/eJf6VbpA

Is GAI driving insecure code? Yup. Tons of research is cited in the article Chris tagged. I've found this in my research as well. What to do? (0) Implement secure coding practices (1) Human ownership of code (2) Code Review (3) test test test (4) SAST scanning (5) test test test "[A] study by New York University researchers showed that 40% of programs written by Copilot included at least one of MITRE's top 25 most common vulnerabilities." You may say, hey, that report is a year old or that research kicked off 36 months ago. Matters not! The facts are that the corpus of data used to train the models specifically on software is littered with issues. 𝗚𝗿𝗼𝘂𝗻𝗱𝗯𝗿𝗲𝗮𝗸𝗶𝗻𝗴 𝗽𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 𝘄𝗶𝘁𝗵 𝗹𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀. #ArchAITecture. #GenAI. #CyberSecurity #AI4SWE #GAI #DevSecOps

“To combat this, Wysopal said, we need better code-checking AIs. He and his colleagues are working on creating a narrowly focused generative AI model, trained on a curated data set of known good and bad code, that will only check code for errors, not try to write it.” AI coding is not mature because GenAI uses unsecured data and models to generate new codes. The scientific way to conquer problems is to use known successful experiments and increase their scale. For AI coding, I think it is reasonable to use secured data and models first and then gradually increase its application scenario. Speaking of AI-secured data and models, it is feasible to use a filtering tool to achieve that goal. The Computing Architectural Secure System (CASS) is a good tool that focuses on data sovereignty and lineage that will filter out secured data and models. www.archss.com

In short, Language models can generate code that erroneously points to software packages, creating vulnerabilities that attackers can exploit. It's certainly not new as typosquatting is pretty common and in the past and attackers could also suggest packages via stack overflow, blog posts, GitHub, or other social media.