Using ChatGPT as a Static Application Security Testing Tool

被引：2

作者：

Bakhshandeh, Atieh ^{[1
,2
]}

Keramatfar, Abdalsamad ^{[1
,2
]}

Norouzi, Amir ^{[1
,2
]}

Chekidehkhoun, Mohammad M. ^{[1
,2
]}

机构：

[1] Res Ctr Dev Adv Technol, Tehran, Iran

[2] MIT, Res & Engn, Cambridge, MA 02139 USA

来源：

ISECURE-ISC INTERNATIONAL JOURNAL OF INFORMATION SECURITY | 2023年 / 15卷 / 03期

关键词：

Artificial Intelligence-based Code; Review ChatGPT Model; Common Weakness Enumeration; Static Application Security; Testing Vulnerability Detection;

D O I：

10.22042/isecure.2023.182082

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

In recent years, artificial intelligence has had a conspicuous growth in almost every aspect of life. One of the most applicable areas is security code review, in which a lot of AI-based tools and approaches have been proposed. Recently, ChatGPT has caught a huge amount of attention with its remarkable performance in following instructions and providing a detailed response. Regarding the similarities between natural language and code, in this paper, we study the feasibility of using ChatGPT for vulnerability detection in Python source code. Toward this goal, we feed an appropriate prompt along with vulnerable data to ChatGPT and compare its results on two datasets with the results of three widely used Static Application Security Testing tools (Bandit, Semgrep, and SonarQube). We implement different kinds of experiments with ChatGPT and the results indicate that ChatGPT reduces the false positive and false negative rates and has the potential to be used for Python source code vulnerability detection.

引用

页数：8

共 50 条

[21] Data-Driven Improvement of Static Application Security Testing Service: An Experience Report in Visma
Iovan, Monica
Cruzes, Daniela Soares
PRODUCT-FOCUSED SOFTWARE PROCESS IMPROVEMENT, PROFES 2022, 2022, 13709 : 157 - 170
[22] Interactive Application Security Testing
Yuan YuanPan
2019 INTERNATIONAL CONFERENCE ON SMART GRID AND ELECTRICAL AUTOMATION (ICSGEA), 2019, : 558 - 561
[23] APSET, an Android aPplication SEcurity Testing tool for detecting intent-based vulnerabilities
Sébastien Salva
Stassia R. Zafimiharisoa
International Journal on Software Tools for Technology Transfer, 2015, 17 : 201 - 221
[24] APSET, an Android aPplication SEcurity Testing tool for detecting intent-based vulnerabilities
Salva, Sebastien
Zafimiharisoa, Stassia R.
INTERNATIONAL JOURNAL ON SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER, 2015, 17 (02) : 201 - 221
[25] Testing Application Security with Aspects
Jain, Manish
Gopalani, Dinesh
2016 INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONICS, AND OPTIMIZATION TECHNIQUES (ICEEOT), 2016, : 3161 - 3165
[26] MCP: A Security Testing Tool Driven by Requirements
Mai, Phu X.
Pastore, Fabrizio
Goknil, Arda
Briand, Lionel C.
2019 IEEE/ACM 41ST INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: COMPANION PROCEEDINGS (ICSE-COMPANION 2019), 2019, : 55 - 58
[27] Tool Support for Secure Programming by Security Testing
Li, Keqin
Hebert, Cedric
Lindemann, Jan
Sauter, Michael
Mack, Holger
Schroeer, Tom
Tiple, Abhay
2015 IEEE EIGHTH INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS (ICSTW), 2015,
[28] Static Security Evaluation of an Industrial Web Application
Welearegai, Gebrehiwet B.
Schlueter, Max
Hammer, Christian
SAC '19: PROCEEDINGS OF THE 34TH ACM/SIGAPP SYMPOSIUM ON APPLIED COMPUTING, 2019, : 1952 - 1961
[29] Training for Security: Results from Using a Static Analysis Tool in the Development Pipeline of Web Apps
Nocera, Sabato
Romano, Simone
Francese, Rita
Scanniello, Giuseppe
2024 ACM/IEEE 44TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: SOFTWARE ENGINEERING EDUCATION AND TRAINING, ICSE-SEET 2024, 2024, : 253 - 263
[30] Static analysis tool supporting C program testing
Jixie Kexue Yu Jishu, 5 (813):

← 1 2 3 4 5 →