AI-Generated Code: Unmasking the Security Pitfalls 🎙 by Lawrence Crowther, Head of Solution Engineering Snyk devopsdays.org/singapore | @devopsdaysSG

● Background ● Building and Securing App using CoPilot + Snyk ● Putting it into practice ● Q & A Today’s Focus

AI with Security Context AI-Assisted Applications AI-Assisted Development AI-Assisted Processes Prompt Injection Training Data Poisoning Supply Chain Vulnerabilities Insecure Output Handling Reduce False Positives Automated Code Fixes Interpreting Log Data Risk Profiling AI Hallucinations Generating in-secure Code Old Outdated Packages Sensitive Data Leakage

But What is the Low Hanging Fruit? GenAI Security Companion

LLMs: Developer superpower… 92 % Of software developers Are already using AI coding tools Software developers using AI tools completed tasks 57% Faster than those who didn’t. Software developers using AI tools were 27% More likely to complete a task than those who didn’t … security concern 40% Of Co-Pilot generated code contained vulnerabilities Developers wrote significantly less secure code than those without access. more likely to believe they wrote secure code than those without access to the AI assistant.

Demo: Patch CoffeeShop App ☕

Requires top banner and product listing table Create Homepage Take user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3

Requires top banner and product listing table Create Homepage Take user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3

Requires top banner and product listing table Create Homepage Take user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3

Don’t trust. Verify. ● Treat AI code like it’s from an inexperienced dev/app sec engineer ● Test/validate everything ● Pair ChatGPT, Co-Pilot with AST in the IDE Takeaways Education and awareness ● Write up policies and company guidelines ● Focus on security vulns, sensitive data and IP and human interaction ● Make education actionable making sure repeatable steps can be taken

Further reading source: https://snyk.io/blog/10-best-practices-for-securely-developing-with-ai/

Thank you!

Real world example typical prompt SQL Injection explicit prompt secure

Prompt provided to Bard (Gemini), GPT-3.5 + GPT-4 ● name parameter output without sanitization ● Results in typical reflected Cross-Site Scripting vulnerability another example…