Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.
Backslash Identifies AI-Generated Code Concerns via OSS Reachability Analysis, Phantom Package Visibility Capabilities
Backslash Research Team performs GPT-4 developer simulation exercise to identify security blindspots in LLM-generated code
April 30, 2024
Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.
According to Gartner, 63% of organizations are currently piloting or deploying AI code assistants. Due to its simplicity of use, AI-generated code will dramatically increase the pace of new code development. However, this technology introduces a diverse range of potential vulnerabilities and security challenges.
In research conducted by the Backslash Research Team to explore security gaps associated with AI-generated code from the perspective of developers, the team created and performed a variety of developer simulation exercises via a series of tests using GPT-4. The results revealed critical security blindspots associated with AI-generated code and its use of third-party open source software (OSS):
■ Some LLMs can generate vulnerable OSS package recommendations due to being ‘frozen in time’: Given that many LLMs are trained on static datasets that are only current up to a specific date and are thus deprived of dynamic patch updates, OSS package recommendations generated by LLMs may be outdated. This includes previous OSS package versions with older code and potential security vulnerabilities that have since been fixed in newer versions.
■ ‘Phantom’ packages can introduce unseen reachable risks: LLM-generated code can include indirect OSS packages that developers are not aware of. Developers often have little to no visibility or control over these “phantom” packages, which may insert security issues into code production via outdated, vulnerable packages.
■ Seemingly safe code-snippet outputs can create an illusion of trust: Experiments reveal that when using the same prompt, GPT-4 generated different recommendations, occasionally suggesting vulnerable package versions. Although these outputs often include disclaimers or instructions regarding the package version, they sometimes do not. Such inconsistencies may cause developers to view all AI-generated code as reliable, thereby introducing significant product security risks for large development teams that deploy high volumes of code daily.
As AI-generated code continues to gain momentum, security issues stemming from the unintended use of outdated OSS packages in application code will become increasingly prominent. The Backslash platform, which was built first and foremost with security in mind for application security teams concentrating on SCA and SAST, offers several capabilities that address AI-generated code security concerns associated with open source software:
■ In-depth reachability analysis: The Backslash platform’s unique approach to SCA analysis assesses the reachability of OSS vulnerabilities, enabling AppSec and product security teams to pinpoint the risks that are reachable and exploitable, and prioritize the genuine threats.
■ Phantom package visibility: Extending beyond traditional SCA, Backslash can identify and assess phantom package risks. The platform detects phantom packages being used by code that is not declared in manifest files and determines whether the packages are reachable and the level of risk they pose.
“The way we create code is rapidly changing, and that means the way that we secure code must also change. AI-generated code offers immense possibility, but also introduces an entirely new scale of security challenges – and application security teams now bear the burden of securing an unprecedented volume of potentially vulnerable code due to the sheer speed of AI-enabled software development,” said Shahar Man, co-founder and CEO of Backslash Security. “Our research shows that securing open source code is more critical than ever before due to product security issues being introduced by AI-generated code that is associated with OSS.”
Backslash enables teams to fix only the vulnerable code and OSS that indeed needs addressing – the reachable, exploitable components.
Industry News
November 21, 2024
November 21, 2024
Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.
November 21, 2024
Securiti announced a new solution - Security for AI Copilots in SaaS apps.
November 20, 2024
Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.
November 20, 2024
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:
November 20, 2024
Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.
November 20, 2024
Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.
November 19, 2024
OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.
November 19, 2024
Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.
November 19, 2024
Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.
November 19, 2024
Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.
November 19, 2024
Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.
November 19, 2024
Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.
November 19, 2024
Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.
November 18, 2024
MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.
