Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AI-Generated Code Unmasking the Security Pitfal...

AI-Generated Code Unmasking the Security Pitfalls by Lawrence Crowther

AI-Generated Code Unmasking the Security Pitfalls

Abstract: AI’s influence on programming and software development is undeniable, offering efficiency, automation, and advanced capabilities. Yet, there lies a shadow realm of security challenges, some known and others yet to be discovered.

What You’ll Learn:

- The current state of AI in code generation
- Real-world vulnerabilities introduced by AI-generated code
- Key considerations for developers using AI tools

Key Takeaways:

- Understand the unique risks posed by AI-generated code
- Witness firsthand the unpredictability of live AI demos
- Gain strategies for mitigating AI-associated risks in your projects

BIO: Lawrence leads the solutions engineering team for Snyk in Asia Pacific and Japan. He leads a team of technologists who help grow the overall APJ business and evangelise Snyk’s products and solutions across the region. Prior to Snyk, Lawrence was the senior director of solution architecture for Elastic’s APJ business and before that he spent 6 years at Pivotal Software in various leadership roles such as Head of Platform Architecture APJ for their Cloud Foundry product, started and ran the Pivotal Labs business in Australia and Field CTO.

DevOpsDays Singapore

March 21, 2024
Tweet

More Decks by DevOpsDays Singapore

Other Decks in Technology

Transcript

  1. AI-Generated Code: Unmasking the Security Pitfalls 🎙 by Lawrence Crowther,

    Head of Solution Engineering Snyk devopsdays.org/singapore | @devopsdaysSG
  2. • Background • Building and Securing App using CoPilot +

    Snyk • Putting it into practice • Q & A Today’s Focus
  3. AI with Security Context AI-Assisted Applications AI-Assisted Development AI-Assisted Processes

    Prompt Injection Training Data Poisoning Supply Chain Vulnerabilities Insecure Output Handling Reduce False Positives Automated Code Fixes Interpreting Log Data Risk Profiling AI Hallucinations Generating in-secure Code Old Outdated Packages Sensitive Data Leakage
  4. LLMs: Developer superpower… 92 % Of software developers Are already

    using AI coding tools Software developers using AI tools completed tasks 57% Faster than those who didn’t. Software developers using AI tools were 27% More likely to complete a task than those who didn’t … security concern 40% Of Co-Pilot generated code contained vulnerabilities Developers wrote significantly less secure code than those without access. more likely to believe they wrote secure code than those without access to the AI assistant.
  5. Requires top banner and product listing table Create Homepage Take

    user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3
  6. Requires top banner and product listing table Create Homepage Take

    user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3
  7. Requires top banner and product listing table Create Homepage Take

    user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3
  8. Don’t trust. Verify. • Treat AI code like it’s from

    an inexperienced dev/app sec engineer • Test/validate everything • Pair ChatGPT, Co-Pilot with AST in the IDE Takeaways Education and awareness • Write up policies and company guidelines • Focus on security vulns, sensitive data and IP and human interaction • Make education actionable making sure repeatable steps can be taken
  9. Prompt provided to Bard (Gemini), GPT-3.5 + GPT-4 • name

    parameter output without sanitization • Results in typical reflected Cross-Site Scripting vulnerability another example…