DeVAIC is a tool that implements a set of regular expression-based detection rules to identify vulnerabilities in Python code generated by AI models, overcoming the limitations of existing static analysis tools.
Our proposed deep learning-based approach can effectively learn and leverage the characteristics of source code data, including the semantic relationships of hidden vulnerability patterns, to enhance data representation learning and identify out-of-distribution source code data.
Large Language Models like ChatGPT struggle to generate secure code when using security APIs, with around 70% of the code instances containing security API misuse across various functionalities.
Existing large language models and deep learning-based automated program repair techniques can fix only a small number of real-world Java security vulnerabilities, with Codex exhibiting the best fixing capability among the models studied. Fine-tuning language models with general program repair data can improve their vulnerability fixing abilities, but they still struggle to fix many complex vulnerability types.
Large Language Models can significantly outperform existing learning-based methods for automated vulnerability localization through appropriate fine-tuning, while prompting approaches prove less effective.
Large Language Models (LLMs) like GPT-3.5 can generate compilable C programs that contain a high proportion of vulnerabilities, which can be effectively detected using formal verification techniques.
AssetHarvester, a static analysis tool, can detect the assets (e.g., database credentials, API keys) protected by secrets in software artifacts, aiding developers in prioritizing secret removal efforts.
Enhancing Recall over Precision is crucial for improving SASTTs effectiveness in vulnerability identification.
Dev-Assist introduces a multi-label machine learning approach to detect security-relevant methods, automating the configuration of static analysis tools and reducing manual effort.
The author explores the challenges in reasoning about software security and presents various approaches to address these challenges, including provable security, detective security, and preventive security.