OpenAI (ChatGPT) Vulnerability Remediation Concept Work
Secure CodingAppSec
What's in OpenAI?
OpenAI is an artificial intelligence research laboratory that surprised the world with ChatGPT. It was founded in San Francisco in late 2015 by Sam Altman and Elon Musk, and many others.
ChatGPT grabbed 1M people's attention in the first six days, and unbelievable AI & Human conversations screenshots are still getting shared.
We couldn't resist more to see how OpenAI can help developers and application security teams by sharing remediation guidance.
Many application security teams manage millions of security issues on Kondukto, which would eventually save them hundreds of hours.
Kondukto & OpenAI Concept Work
We have a great place to test this concept; CandyShop.
It is our community project where we are scanning vulnerable applications with the most popular open-source SAST, DAST, SCA and container scanners.
CandyShop Dashboard
A SAST vulnerability on OWASP JuiceShop
Semgrep description
Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.
Remediation advice from OpenAI
OpenAI Description
The best way to fix this vulnerability is to use HTTPS instead of HTTP for the request. This can be done by changing the URL in line 22 to use the HTTPS protocol instead of HTTP.
For example, response = requests.post('https://example.com/URL', data = {'username': username, 'password': password})
Remediation advice:
1. Always use HTTPS when sending sensitive data over the internet.
2. Use secure authentication protocols such as OAuth or OpenID Connect.
3. Use secure encryption algorithms such as AES or RSA.
4. Use secure protocols such as TLS or SSL.
5. Use secure authentication methods such as two-factor authentication.
6. Monitor your network for suspicious activity.
7. Implement regular security audits and patch any vulnerabilities.
A container security vulnerability discovered by Trivy
Trivy description*:*
DISPUTED GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."
Remediation advice from OpenAI for CVE-2019-1010025
OpenAI description:
The best way to fix the CVE-2019-1010025 vulnerability in libc6 is to upgrade to the latest version of the library. This can be done by running the following command:
sudo apt-get update && sudo apt-get upgrade libc6
Once the upgrade is complete, you should also ensure that all applications that use libc6 are restarted to ensure that the new version is being used.
As for remediation advice, it is important to keep all software and libraries up to date with the latest security patches. This can be done by regularly checking for updates and applying them as soon as they become available. Additionally, it is important to ensure that all applications that use vulnerable libraries are regularly monitored for any security issues.
Conclusion
The first results are pretty promising, and we continue to improve our questions and discover new ways of using OpenAI to benefit application security teams.
Meanwhile, if you want to test OpenAI remediation advice concept, please mention it in the notes section.
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))