版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
SecureCodingandChatGPT:MiracleorMirage?
MarkHorvath
©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.Thispublicationmaynotbereproducedordistributedinanyform
withoutGartner'spriorwrittenpermission.ItconsistsoftheopinionsofGartner'sresearchorganization,whichshouldnotbeconstruedasstatementsoffact.Whiletheinformationcontainedinthispublicationhasbeenobtainedfromsourcesbelievedtobereliable,Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformation.AlthoughGartnerresearchmayaddresslegalandfinancialissues,Gartnerdoesnotprovidelegalorinvestmentadviceanditsresearchshouldnotbeconstruedorusedassuch.Youraccessanduseofthispublicationaregovernedby
Gartner’sUsagePolicy
.Gartnerpridesitselfonitsreputationforindependenceandobjectivity.Itsresearchisproducedindependentlybyitsresearchorganizationwithoutinputor
influencefromanythirdparty.Forfurtherinformation,see
"GuidingPrinciplesonIndependenceandObjectivity.
"
TheChatGPTExperience
•Thiscandoanything!
2©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheChatGPTExperience
•Thiscandoanything!
•Uh-oh,thisisgoingtotakemyjob!
3©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheChatGPTExperience
•Thiscandoanything!
•Uh-oh,thisisgoingtotakemyjob!
•MaybeIshouldgetsomeVCandstartacompany.
4©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheChatGPTExperience
•Thiscandoanything!
•Uh-oh,thisisgoingtotakemyjob!
•MaybeIshouldgetsomeVCandstartacompany.
•Hmmm…theseanswersarealittle…flawed.
5©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheChatGPTExperience
•Thiscandoanything!
•Uh-oh,thisisgoingtotakemyjob!
•MaybeIshouldgetsomeVCandstartacompany.
•Hmmm…theseanswersarealittle…flawed.
•Wait,what?No.That’snothowthatworksatall…
6©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheChatGPTExperience
•Thiscandoanything!
•Uh-oh,thisisgoingtotakemyjob!
•MaybeIshouldgetsomeVCandstartacompany.
•Hmmm…theseanswersarealittle…flawed.
•Wait,what?No.That’snothowthatworksatall…
•Pffft!ThisisjustaWikipediaarticle,andnotagoodone.
7©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheChatGPTExperience
•Thiscandoanything!
•Uh-oh,thisisgoingtotakemyjob!
•MaybeIshouldgetsomeVCandstartacompany.
•Hmmm…theseanswersarealittle…flawed.
•Wait,what?No.That’snothowthatworksatall…
•Pffft!ThisisjustaWikipediaarticle,andnotagoodone.
•Theseanswersaren’treallyverygood,butitcanrendertheminiambicpentameter,whichiskindofcool.
8©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
AISolutionsAretheTopEmergingTechnology
EmergingTechnologiesDeployedorPlannedtoDeployintheNext12Months
48%
Artificial
Intelligence
DistributedSASE
Cloud
n=2,186;CIOsandTechnologyExecutives
Source:2023GartnerCIOandTechnologyExecutiveSurveySASE=secureaccessserviceedge
9©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
Edge
Computing
Multiexperience
Development
Platform
ApplicationsofAItoSecurity(SoFar)
UseWhatIs“AI”About?PossibleBenefitsTypeofAI
ApplicationSecurityTesting:ReducingFalsePositives
Learnswhatfalsepositiveslooklikeinyourteam’sSASTresults.
Reducesfalsepositivesinoutputby>90%.
Machinelearning.
Processbehavioranalysis
Recognizescharacteristicsofmalwarewithoutrelyingonsignatures.
Identifiesmalwareveryearlyandisresistanttopolymorphism.
Neuralnetworks.Machinelearning.
VulnerabilityTestTargetSelection
Recognizeshigh-valuetesttargets.
Usesdatafrommultipleorganizations.
Various.
AbnormalSystemBehaviorDetection
Recognizescriticalalertsorpatternsinotherwisemassiveamountofdata.
Fasterthanhumansandcanimprovesignaltonoiseratio.
Various.
UserandEntity
BehaviorAnalytics
Canrecognizepatternsinuseandbehaviordatathathumansmightmiss.
Improvescompliance,earlyinsiderthreatdetection,
improvedvisibility.
Machinelearning.Fuzzylogic.
Variesbyprovider.
NetworkTrafficAnalysis
Seespatternsinconnectionsandaccessacrossalargenetwork.
Recognizedataexfiltration,intrusiondetection,insiderthreatsfasterthanhumans.
Machinelearning.Neuralnetworks.Directedgraphs.
SAST=staticapplicationsecuritytesting
10©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
WhatIsDifferentAboutChatGPT?
11©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
WhatIsDifferentAboutChatGPT?
ConceptualFlowoftheChatGPTService
ModelTraining
ModelInference
Source:Gartner
TextInput
●
TrainingData
400BillionWords
InputFilteringandPromptPreparation
ClosedGPTModels
(LLMs)
OutputAcceptabilityFilteringandConversationPreparation
ChatGPT
Q
TextOutput
ReinforcementLearning
WithHumanFeedback
12©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheGood:
SometimesItWorksWell
•Coversbasiccodingformatsandsimpletechniques.
•Goodatexplainingwhyitdoesthingsthewayitdoesinacompletely
understandableway.
•Isgenerallyabletoofferbasicadviceandcoordinatemanydifferentsecurityinputs.
•Cananalyzesoftwareinmanylanguages,debugcode.
•Canwriteoncomplextopics.
•“Theequivalentofafontforlanguage.”
13©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheGood
•Incidentresponse(CadoSecurity):
–Whilethisgivesadecent
explanationofwhat
happenedandprovidesananalystwithaquickhuman-readableexplanationof
theincident—itisnot100%accurate.
14©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheBad
•Canquicklybeturnedintoasourceofmalware,ratherthanacure.
•Orcanbejustwrong!
–It’sbasedonexamplesfromtheinternet.
15©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheBad:WhenItIsBad,ItIsBad
•Onlyasgoodasthedataitistrainedon.
•ChatGPTwillnotwritea
malwarecodeifaskedtowriteone;itdoeshaveguardrails,
suchassecurityprotocolsto
identifyinappropriaterequests.
–However,workaroundsarecommon.
16©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheUgly
“Participantswhohadaccessto
anAIassistant[…]wrotesignificantly
lesssecurecodethanthose
withoutaccess.”
Source:
DoUsersWriteMoreInsecureCodeWithAIAssistants?
,arXiv.
17©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
TheUgliest
“ParticipantswithaccesstoanAI
assistantweremorelikelytobelieve
theywrotesecurecodethanthose
withoutaccesstotheAIassistant.”
Source:
DoUsersWriteMoreInsecureCodeWithAIAssistants?
,arXiv.
18©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
ButCanItHelpWithCodeReview?
NCCGroup:High-levelpentest/codesecurityresearchfirm.
Basically,aSASTscanwithafullexplanation.
Fedseveraltypesof
knownvulnerablecode
toChatGPTandaskedtoidentifyvulnerabilities.
Results:AbouttypicalforaSASTtool,including
thefalsepositives.
19©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
ChatGPTResponse(Sample)
•Thecodehasseveralsecurityvulnerabilities.
•RemoteCodeExecution(RCE):Theinputfromtheuser,storedinthe“$target”variable,isdirectlypassedtotheshellexec()functionwithoutanypropervalidationor
sanitization.Thiscouldallowanattackertoinjectarbitrarycommandsandexecutethemontheserver.
•Cross-SiteRequestForgery(CSRF):ThecodedoesnothaveanyCSRFprotection
mechanismsinplace.Anattackercouldtrickauserintomakingamaliciousrequestthatcouldmodifythestateoftheapplication.
•CommandInjection:Theinputfromtheuserispasseddirectlytotheshellexec()
function,makingitvulnerabletocommandinjectionattacks.Anattackercouldinjectarbitraryshellcommandsandexecutethemontheserver.
•Overall,thecodeshouldberevisedtoincludeproperinputvalidationandsanitization,andprotectionagainstRCE,CSRF,andcommandinjectionattacks.
20©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
ResultsAre…Okay,NotGreat
•TheCross-SiteRequest
Forgerybugisafalsepositive.
•Thesecond“CommandInjection”report,whilecorrect,isaduplicate,butisdescribedina
mannerthatmakesitsoundlikeadifferentvulnerabilitytype.
21©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
WhatExactlyIsItDoing?
•ChatGPTistrainingonhugeamountsofdata,muchofitfromtheinternet.
•Therearelotsandlotsandlotsofgreatexamplesofsecurecodingontheinternet.
•Therearemany,manymoreofcodewithpoorsecurity.
•Ifyouthinkofitas“advancedpatternmatching”
insteadof“AIcomingformyjob,”youwillhaveabettermodelforwhattoexpect.
22©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
BacktoCodeReview
•GitHubCopilot:Assemblesdatafrommanysources.ChatGPT
meetsAppSecTesting.
•Hasaccesstoall
developerandMSRCdata.
•Queryexistingsecuritydatasources.
•Promptbooktomakeprogressonatask.
•Userdatanotuploadedforlearning.
23©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
HowDoesGitHubCopilotUseChatGPT?
Source:GitHub
24©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
OpenQuestions
25©2023Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.anditsaffiliates.
•IsChatGPTaprofessional-gradetool?
–Notbyitselfbutcanreachthatlevelwithspecifictraining.
•ShouldIbeworriedabout
privacyandintellectualproperty?
–Yes.
•Thestateoftheartismovingquickly.
–Yes,andyoushouldprepare.
Recommendations
oMostenterprisesshouldnotuseChatGPTforcodegeneration,codesecurityscanning,orsecurecodereviewwithverylimited
exceptions.InsteadcontinuetorelyontradtionalASTtools.
oTheuseofChatGPTforsecurityrequiresanumberoftrade-offsforaccuracythatmostenterprisesmayfindunacceptable.
oOtherenterpris
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 二零二五影视剧本等信息保密合同
- 销售人员聘用合同范例二零二五年
- 圆通快递服务合同二零二五年
- 二零二五版租田地协议合同书
- 医美股份转让合同模板二零二五年
- 幼儿老师安全应急培训
- 二零二五4月份商业用房租赁转售合同附加条款争议处理
- 眼袋外切手术后的护理
- 成功财务管理案例分析
- 中医护理管理价值案例
- AAO工艺处理图纸
- 小班-科学-小动物的家-课件(互动版)
- 中国到欧洲的主要航线图
- 小说中景物描写的作用
- 平面向量与三角形的四心问题-高三理科数学复习讲义与跟踪训练含解析
- 收获机械-往复式切割器的工作原理
- 河北省唐山市迁安市2021-2022年三年中考二模英语试题分类汇编:语法填空
- 蓄电池单轨吊设计选型方案及技术规格书
- 怎样培养小学生学习科学兴趣
- 人文地理学(王恩涌)
- 冀教版四年级下册英语全册教学设计
评论
0/150
提交评论