AIS Detects Vulnerability
I’ve been writing about the possibility of AIs automatically detecting code vulnerabilities since at least 2018. This is an ongoing area of research: AI doing source code scanning, AI finding zero days in the wild, and everything in between. The AIs aren’t very good at it yet, but they’re getting better.
Here is anecdotal data from this summer:
Starting in July 2024, ZeroPath takes a novel approach that combines deep system analysis with AI counter-agents for verification. Our methodology revealed many vulnerabilities in production systems, including several that traditional Static Application Security Testing (SAST) tools were not equipped to detect. This post provides a technical depth to our research methodology and a live summary of bugs found in popular open source tools.
Expect a lot of development in this area over the next few years.
This is what I said in a recent interview:
Let’s not stick to the software. Imagine we have an AI that detects software vulnerabilities. Of course, attackers can use those AIs to break into systems. But defenders can use the same AIs to find software vulnerabilities and patch them. This capability, if it exists, will likely be built into a standard suite of software development tools. We can imagine a future where all readily available vulnerabilities (not all vulnerabilities; there are many theoretical implications about that) are removed from software before deployment.
When that day comes, all legacy code will be vulnerable. But all new code will be protected. And, eventually, those software vulnerabilities will be a thing of the past. In my head, some future programmer shakes his head and says, “Remember the early decades of this century when software was full of vulnerabilities? That’s before the AIs get them all. Wow, it was a crazy time.” We’re not there yet. We’re not far from there. But it’s a reasonable extrapolation.
Posted November 5, 2024 at 7:08 AM • 0 comments
Source link