Security scanner provider Socket also uses OpenAI ‘s chatbot to inspect packets.
The result of using ChatGPT surprised Socket, said CEO Feross Aboukhadijeh: “It worked much better than expected (…) Now I’m sitting on a few hundred vulnerabilities and malware packages and we rush to report them as soon as possible.” Socket is designed to detect so-called supply chain attacks, i.e. those that could be smuggled in via project dependencies.
It is not surprising that ChatGPT is in principle suitable for such work, since the system is also trained on a large amount of code and is therefore able to recognize common patterns. However, the vulnerabilities found fall into numerous different categories, such as “data leaks, SQL injections, hard-coded credentials, potential privilege escalation, and backdoors,” according to the report.
Not all of these gaps are public or even fixed. However, The Register magazine was able to verify some of the gaps that had already been published and listed various examples.
AI models can be of great help in automatically finding known patterns in hundreds of thousands of packages. A human check is simply too much effort for this. But relying on that alone will not be enough. The AI system will probably fail very quickly due to particularly sophisticated attacks and tactics, especially if they are not already widespread.