Slide 1

Slide 1 text

AI-Generated Code: Unmasking the Security Pitfalls 🎙 by Lawrence Crowther, Head of Solution Engineering Snyk devopsdays.org/singapore | @devopsdaysSG

Slide 2

Slide 2 text

● Background ● Building and Securing App using CoPilot + Snyk ● Putting it into practice ● Q & A Today’s Focus

Slide 3

Slide 3 text

AI with Security Context AI-Assisted Applications AI-Assisted Development AI-Assisted Processes Prompt Injection Training Data Poisoning Supply Chain Vulnerabilities Insecure Output Handling Reduce False Positives Automated Code Fixes Interpreting Log Data Risk Profiling AI Hallucinations Generating in-secure Code Old Outdated Packages Sensitive Data Leakage

Slide 4

Slide 4 text

But What is the Low Hanging Fruit? GenAI Security Companion

Slide 5

Slide 5 text

LLMs: Developer superpower… 92 % Of software developers Are already using AI coding tools Software developers using AI tools completed tasks 57% Faster than those who didn’t. Software developers using AI tools were 27% More likely to complete a task than those who didn’t … security concern 40% Of Co-Pilot generated code contained vulnerabilities Developers wrote significantly less secure code than those without access. more likely to believe they wrote secure code than those without access to the AI assistant.

Slide 6

Slide 6 text

Demo: Patch CoffeeShop App ☕

Slide 7

Slide 7 text

Requires top banner and product listing table Create Homepage Take user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3

Slide 8

Slide 8 text

Requires top banner and product listing table Create Homepage Take user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3

Slide 9

Slide 9 text

Requires top banner and product listing table Create Homepage Take user input and filter the results based on matches in the product name and description Make product table searchable 2 1 Users can upload their own avatar to their profile Allow users to personalise profiles 3

Slide 10

Slide 10 text

Don’t trust. Verify. ● Treat AI code like it’s from an inexperienced dev/app sec engineer ● Test/validate everything ● Pair ChatGPT, Co-Pilot with AST in the IDE Takeaways Education and awareness ● Write up policies and company guidelines ● Focus on security vulns, sensitive data and IP and human interaction ● Make education actionable making sure repeatable steps can be taken

Slide 11

Slide 11 text

Further reading source: https://snyk.io/blog/10-best-practices-for-securely-developing-with-ai/

Slide 12

Slide 12 text

Thank you!

Slide 13

Slide 13 text

Real world example typical prompt SQL Injection explicit prompt secure

Slide 14

Slide 14 text

Prompt provided to Bard (Gemini), GPT-3.5 + GPT-4 ● name parameter output without sanitization ● Results in typical reflected Cross-Site Scripting vulnerability another example…