Let’s also take on the idea that AI will displace security teams.
Researchers at Endor Labs tested ChatGPT 3.5 against 1,870 artifacts from the PyPi and NPN open-source code repositories. It identified 34 as having malware. However, only 13 had bad code. Five others did have obfuscated code but did not expose any malicious behavior. At the same time, one artifact was a proof-of-concept that downloads and opens an image via an NPM install hook. As a result, the researchers considered ChatGPT-3.5 right 19 out of 34 choices.
However, 15 of the results were false positives.
Why do we care?
You’ll be able to enjoy your weekend knowing your job is still somewhat safe.
That said, my takeaway remains that thinking of this technology as a copilot rather than a replacement is the correct framing. Could humans have found the bad code as quickly? And isn’t it potentially terrific to be scanning more code more often? Humans aren’t perfect either, and the cliché of “an extra set of eyes” is generally welcome. Augment, not displace.