I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding

Authors Tiago Espinha Gasiba , Kaan Oguzhan , Ibrahim Kessba , Ulrike Lechner , Maria Pinto-Albuquerque



PDF
Thumbnail PDF

File

OASIcs.ICPEC.2023.2.pdf
  • Filesize: 0.54 MB
  • 12 pages

Document Identifiers

Author Details

Tiago Espinha Gasiba
  • Siemens AG, München, Germany
Kaan Oguzhan
  • Siemens AG, München, Germany
Ibrahim Kessba
  • Siemens AG, München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Maria Pinto-Albuquerque
  • Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR, Portugal

Cite AsGet BibTex

Tiago Espinha Gasiba, Kaan Oguzhan, Ibrahim Kessba, Ulrike Lechner, and Maria Pinto-Albuquerque. I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding. In 4th International Computer Programming Education Conference (ICPEC 2023). Open Access Series in Informatics (OASIcs), Volume 112, pp. 2:1-2:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
https://doi.org/10.4230/OASIcs.ICPEC.2023.2

Abstract

Software security is an important topic that is gaining more and more attention due to the rising number of publicly known cybersecurity incidents. Previous research has shown that one way to address software security is by means of a serious game, the CyberSecurity Challenges, which are designed to raise awareness of software developers of secure coding guidelines. This game, which has been proven to be very successful in the industry, makes use of an artificial intelligence technique (laddering technique) to implement a chatbot for human-machine interaction. Recent advances in machine learning led to a breakthrough, with the implementation of ChatGPT by OpenAI. This algorithm has been trained in a large amount of data and is capable of analysing and interpreting not only natural language, but also small code snippets containing source code in different programming languages. With the advent of ChatGPT, and previous state-of-the-art research in secure software development, a natural question arises: to which extent can ChatGPT aid software developers in writing secure software?. In this paper, we draw on our experience in the industry, and also on extensive previous work to analyse and reflect on how to use ChatGPT to aid secure software development. Towards this, we run a small experiment using five different vulnerable code snippets. Our interactions with ChatGPT allow us to conclude on advantages, disadvantages and limitations of the usage of this new technology.

Subject Classification

ACM Subject Classification
  • Applied computing → Learning management systems
  • Security and privacy → Software security engineering
  • Applied computing → Distance learning
  • Applied computing → E-learning
Keywords
  • Serious Games
  • IT-Security
  • Machine Learning
  • ChatGPT
  • Secure Coding
  • Industry
  • Software Development
  • Teaching

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle Mazurek, and Sascha Fahl. Developers Need Support, Too: A Survey of Security Advice for Software Developers. 2017 IEEE Cybersecurity Development (SecDev), pages 22-26, September 2017. IEEE Computer Science, Engineering. URL: https://doi.org/10.1109/SecDev.2017.17.
  2. Bushra Aloraini, Meiyappan Nagappan, Daniel German, Shinpei Hayashi, and Yoshiki Higo. An Empirical Study of Security Warnings From Static Application Security Testing Tools. Journal of Systems and Software, 110427(158):1-25, December 2019. Elsevier, Amsterdam, Nederland. URL: https://doi.org/10.1016/j.jss.2019.110427.
  3. Roberto Bagnara, Abramo Bagnara, and Patricia M Hill. Coding guidelines and undecidability. arXiv preprint, 2022. URL: https://arxiv.org/abs/2212.13933.
  4. Bundesamt für Sicherheit in der Informationstechnik. BSI IT-Grundschutz-Katalog. Technical report, Bundesamt für Sicherheit in der Informationstechnik, Reguvis Fachmedien GmbH, Köln, Germany, April 2016. 15. ed, BSI. URL: https://download.gsb.bund.de/BSI/ITGSK/IT-Grundschutz-Kataloge_2016_EL15_DE.pdf.
  5. Carnegie Mellon University. Secure Coding Standards. Software Engineering Institute, Online, Accessed 19 March 2019. URL: https://wiki.sei.cmu.edu/confluence/display/seccode.
  6. MITRE Corporation. Common Weakness Enumeration. Online, Accessed 4 July 2019. URL: https://cwe.mitre.org/.
  7. Ralf Dörner, Stefan Göbel, Wolfgang Effelsberg, and Josef Wiemeyer. Serious Games: Foundations, Concepts and Practice. Springer International Publishing, 1 edition, September 2016. Google Scholar
  8. Tiago Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Sifu - A CyberSecurity Awareness Platform with Challenge Assessment and Intelligent Coach. Special Issue of Cyber-Physical System Security of the Cybersecurity Journal, pages 1-23, October 2020. SpringerOpen, Online. URL: https://doi.org/10.1186/s42400-020-00064-4.
  9. Tiago Gasiba, Ulrike Lechner, Maria Pinto-Albuquerque, and Daniel Mendez Fernandez. Awareness of Secure Coding Guidelines in the Industry - A First Data Analysis. In Guojun Wang, Ryan Ko, Md Zakirul Alam Bhuiyan, and Yi Pan, editors, TrustCom 2020: International Conference on Trust, Security and Privacy in Computing and Communications, pages 345-352, December 2020. IEEE, Guangzhou, China. URL: https://doi.org/10.1109/TrustCom50675.2020.00055.
  10. Tiago Gasiba, Ulrike Lechner, Maria Pinto-Albuquerque, and Daniel Mendez. Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey. In Hakan Erdogmus and Ana María Moreno, editors, 43rd International Conference on Software Engineering, pages 1-12, May 2021. . URL: https://arxiv.org/abs/2102.05343.
  11. Tiago Espinha Gasiba. Raising Awareness on Secure Coding in the Industry through CyberSecurity Challenges. PhD thesis, Universität der Bundeswehr München, 2021. URN: urn:nbn:de:bvb:706-7860. URL: https://athene-forschung.unibw.de/85049?query=gasiba&show_id=140142.
  12. GitHub. Copilot. Online, Accessed 15 June 2023. URL: https://github.com/features/copilot.
  13. Katerina Goseva-Popstojanova and Andrei Perhinschi. On the Capability of Static Code Analysis to Detect Security Vulnerabilities. Information and Software Technology, 68:18-33, December 2015. Butterworth-Heinemann, Newton, MA, USA. URL: https://doi.org/10.1016/j.infsof.2015.08.002.
  14. Jacob A. Harer, Louis Y. Kim, Rebecca L. Russell, Onur Ozdemir, Leonard R. Kosta, Akshay Rangamani, Lei H. Hamilton, Gabriel I. Centeno, Jonathan R. Key, Paul M. Ellingwood, Marc W. McConley, Jeffrey M. Opper, Sang Peter Chin, and Tomo Lazovich. Automated Software Vulnerability Detection with Machine Learning. CoRR, abs/1803.04497, 2018. URL: https://arxiv.org/abs/1803.04497.
  15. International Electrotechnical Commission. IEC 62443-4-1 - Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements. Technical report, International Electrotechnical Commission, Geneval Switzerland, January 2018. . Google Scholar
  16. International Organization for Standardization. ISO/IEC 25000:2014 - Systems and Software Engineering — Systems and Software Quality Requirements and Evaluation (SQuaRE) — Guide to SQuaRE. Technical report, International Organization for Standardization, Geneva, CH, March 2014. Software and Systems Engineering. URL: http://iso25000.com/index.php/en/iso-25000-standards.
  17. Akram Louati and Tiago Gasiba. Source Code Vulnerability Detection using Deep Learning Algorithms for Industrial Applications. In The Second International Conference on Ubiquitous Security (UbiSec 2022), pages 1-19, December 2022. . Google Scholar
  18. Open Web Application Security Project. OWASP Top 10. Online, Accessed 15 July 2017. URL: https://tinyurl.com/yyb8wcv9.
  19. OpenAI LP. ChatGPT. Online, Accessed 23 January 2023. URL: https://chat.openai.com/.
  20. Tosin Daniel Oyetoyan, Bisera Milosheska, Mari Grini, and Daniela Soares Cruzes. Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital. International Conference on Agile Software Development, pages 86-103, May 2018. Springer, Cham. URL: https://doi.org/10.1007/978-3-319-91602-6_6.
  21. Suri Patel. 2019 Global Developer Report: DevSecOps finds security roadblocks divide teams. Online, Accessed 18 July 2020. URL: https://about.gitlab.com/blog/2019/07/15/global-developer-report/.
  22. Tim Rietz and Alexander Maedche. LadderBot: A Requirements Self-Elicitation System. 2019 IEEE 27th International Requirements Engineering Conference (RE), pages 357-362, September 2019. IEEE, Jeju, South Korea. URL: https://doi.org/10.1109/RE.2019.00045.
  23. Gaigai Tang, Lianxiao Meng, Shuangyin Ren, Weipeng Cao, Qiang Wang, and Lin Yang. A Comparative Study of Neural Network Techniques for Automatic Software Vulnerability Detection. CoRR, abs/2104.14978, 2021. URL: https://arxiv.org/abs/2104.14978.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail