2024-08-06 –, Florentine F
Leveraging AI for AppSec presents promise and danger, as let’s face it, you cannot solve all security issues with AI. Our session will explore the complexities of AI in the context of auto remediation. We’ll begin by examining our research, in which we used OpenAI to address code vulnerabilities. Despite ambitious goals, the results were underwhelming and revealed the risk of trusting AI with complex tasks.
Our session features real-world examples and a live demo that exposes GenAI’s limitations in tackling code vulnerabilities. Our talk serves as a cautionary lesson against falling into the trap of using AI as a stand-alone solution to everything. We’ll explore the broader implications, communicating the risks of blind trust in AI without a nuanced understanding of its strengths and weaknesses.
In the second part of our session, we’ll explore a more reliable approach to leveraging GenAI for security relying on the RAG Framework. RAG stands for Retrieval-Augmented Generation. It's a methodology that enhances the capabilities of generative models by combining them with a retrieval component. This approach allows the model to dynamically fetch and utilize external knowledge or data during the generation process.
5 mins: The presentation will kick off by exploring the real-world problems companies aim to address with AI, grounding our discussion in tangible use cases rather than getting swept up in AI hype.
5 mins: We will then transition into discussing how AI can be used to enhance developer productivity, reduce the security backlog, and minimize MTTR (Mean Time To Remediate).
10 mins: We will review the research conducted by our team on the use of GenAI for automatic code vulnerability remediation. This will include sharing our methodology (how to use the RAG framework with AI), and we’ll wrap up by presenting both the good and the underwhelming results while showcasing examples of the fixes to the audience.
5 mins: To illustrate the challenges, we'll conduct an interactive live demo demonstrating how ChatGPT can overlook mistakes that even seasoned developers might miss.
5 mins: With these insights as a backdrop, we'll discuss the inherent risks associated with using GenAI for auto-remediation, drawing from both our experiences and other vendors. We will also highlight code vulnerabilities that cannot be automatically fixed, whether with AI or otherwise.
5 mins: Furthermore, we'll provide an overview of the current landscape of automatic remediation vendors, tools, and methodologies available in the market. If time permits, we will supplement this discussion with live demos of selected tools.
10 mins: To wrap up, we'll offer practical advice for reviewing “AI tools” and promises made by vendors.This session is designed to be interactive, inviting audience participation whenever possible.
—------------------------
What apps/tech would the solution work for?
Our focus will be on the challenge to remediate findings reported by SAST tools, but the same logic can be used in adjacent fields such as security scanners for IaC and more.
What will people learn from this discussion?
- How to properly vet AI tools
- How to see through the empty promises of vendors with one-size-fits-all AI tools
- How to use the RAG framework with AI
- How to level up your team with AI
What security professionals would benefit from this talk?
This session assumes basic understanding of application security and aimed for blue teams mostly AppSec experts and security engineers.
How accessible and relative is this live demo?
We will only demo tools that can be used for free on Open Source projects.
How will you not make this a vendor pitch?
For the first demo we will use ChatGPT, when looking to show auto-remediation solutions, we will demonstrate at least two separate tools, sharing with the attendees different approaches used in the market.
As a seasoned security researcher, I've led teams at Snyk and now helm security research at Mobb. With a wealth of publications and speaking engagements, I've delved deep into the intricacies of cybersecurity, unraveling vulnerabilities and crafting solutions. From pioneering research to impactful talks, my journey is fueled by a passion for safeguarding digital landscapes. Join me as I share insights, strategies, and innovations in the ever-evolving realm of cybersecurity.
Eitan Worcel is the co-founder and CEO of Mobb, the 2023 USA Black Hat StartUp Spotlight winner. He has over 15 years of experience in the application security field as a developer, product management leader, and now startup founder. He has previously spoken at Black Hat, OWASP chapter meetings, dozens of new outlets and podcasts.