在生成人工智能時代償還安全債務.pdf

1、State of Software Security:Addressing the Threat of Security DebtChris WysopalChief Security EvangelistWorld AI Summit 2024October 10,2024Unites States Senate testimony-19 May 1998One of the 1stvulnerability researchers,member of hacker think tank,L0pht in 1990s 3Today we are finding software securi

2、ty flaws faster than we can fix them4Flaws accumulate faster than theyre fixedFlaws accumulate faster than theyre fixed56Our EU customersOur EU customers7Lets add the exciting potential of large language models that can write code!9Generating codeUnderstanding code/Code reviewRemediating defectsTran

3、slating programming languagesCreating and maintaining unit testsWriting documentationDeveloper GenAI use right now10Learning about the code baseSearching for answers to avoid reinventing the wheelReading log files to find a root causeCreating and running functional&non-functional testsRemediating se

4、curity vulnerabilitiesEmerging dev uses for GenAIPublic GitHub RepositoriesOpen-Source ProjectsDocumentation and CommentsThirds Party Code(License Risk)Training Data SetLarge corpus of data that includes open web content.Large Language Models used for codingChatGPTCode GeneratorGeminiUser Result41%4

5、1%of Copilot produced code contain known security vulnerabilities.Large Language ModelUser PromptSecurity Implications of LLMsWuhan University Study on AI Code GeneratorsStanford University Study on AI Code GeneratorsNew York University Study on GitHub CopilotPurdue University on ChatGPT accuracy36%

6、Out of the 435 Copilot generated code snippets found in repos 36%contain security weaknesses,across 6 programming languages.Developers using LLMs were more likely to write insecure code.They were more confident their code was secure.41%Of 1689 generated programs 41%of Copilot produced programs conta

7、ined vulnerabilities52%52%of ChatGPTs answers were incorrect.Developers preferred them 35%of the time yet 77%of those answers were wrong13What is Veracode seeing across our customer base?Our approach and methodologyOur approach and methodologyThis research draws from the following:1,007,1331,007,133

8、applications across all scan types1,553,0221,553,022dynamic analysis scans11,429,36511,429,365static analysis scansAll those scans produced:96.0 million96.0 millionraw static findings4.0 million4.0 millionraw dynamic findings12.2 million12.2 millionraw software composition analysis findings15Where i

9、s the security debt?Where is the security debt?While first-party code constitutes almost 90%of all security debt65%of critical debt comes from third-party code in open-source libraries16EU customer breakdown is similarEU customer breakdown is similarAllEU Customers sector17Remediation capacity Remed

10、iation capacity is constrainedis constrainedOnly 64%of applications demonstrate a sustained capacity to eliminate all critical security debt.Only two out of ten applications show an average monthly fix rate that exceeds ten percent of all security flaws.This means few teams bail fast enough to rever

11、se the tide of debt once it starts rising.18Prioritization is the keyPrioritization is the keyOnly 15 percent of all flaws are critical flaws.This subset of flaws represents pound-for-pound the greatest risk exposure to your applications.Prioritize that 15 percent,and,while you wont eliminate all se

12、curity debt,you will achieve a goal of maximum risk reduction with focused effort.If the rate of new and existing flaws exceeds the capacity to remediate them,then prioritizing which flaws to remediate is essential.Veracode,Inc.2024 Confidential 19EU apps may require more fix capacityEU apps may req

13、uire more fix capacityAll CustomersEU Customers20Managing security debt:Managing security debt:fix flaws faster!fix flaws faster!Development teams that fix flaws fastest are four times less likely to let critical security debt materialize in their applications.Speed at which developer teams fix flaw

14、s21Takeaways22Key learnings Key learnings from the from the SoSSSoSS reportreportCode velocity is on the rise,in part thanks to generative AIMore code will result in more security debt because generated code exhibits all of the same security weaknesses as human-written codeDevelopment teams allocate

15、 very little capacity to fixing security flaws and often do not prioritize the most critical flaws23Techniques for tackling security debtTechniques for tackling security debtIncrease capacity:the amount of time development teams dedicate to fixing security flaws is a choice not an inherent limitatio

16、nPrioritize wisely:fix critical flaws(debt and non-debt)before non-critical flaws to reduce the most riskBuild security habits:scan and fix regularly;teams that fix flaws the fastest accumulate 4x less critical security debtFix faster:AI-assisted fixing has the potential to help developers fix more flaws in the same amount of time24Thank You!Visit Veracode at booth W36