/aug 17, 2023

Enhancing Code Security with Generative AI: Using Veracode Fix to Secure Code Generated by ChatGPT

By Devin Maguire

Artificial Intelligence (AI) and companion coding can help developers write software faster than ever. However, as companies look to adopt AI-powered companion coding, they must be aware of the strengths and limitations of different approaches – especially regarding code security.  

Watch this 4-minute video to see a developer generate insecure code with ChatGPT, find the flaw with static analysis, and secure it with Veracode Fix to quickly develop a function without writing any code

The video above exposes the nuances of generative AI code security. While generalist companion coding tools like ChatGPT excel at creating functional code, the quality and security of the code often falls short. Specialized solutions like Veracode Fix - built to excel at remediating insecure code - bring a vital security skillset to generative AI. By using generalist and specialist AI tools in collaboration, organizations can empower their teams to accelerate software development that meets functional and security needs. 

ChatGPT Code Security: Understanding the Strengths and Weaknesses of Generalist Companion Coding 

While generalist AI-driven companion coding like ChatGPT exhibits remarkable abilities in generating code for a wide range of use cases, it is imperative to acknowledge both its strengths and weaknesses. On one hand, ChatGPT excels at rapidly producing functional code, thus boosting developers' productivity. On the other hand, it inherits the tendencies and patterns from the data it is trained on, leading to potential security vulnerabilities. Additionally, code provenance questions associated with using models trained on huge volumes of data including open source code with nonpermissive licensing raise legal and licensing concerns. The path to generating not just functional code but secure code without licensing risk requires a deeper understanding of these complexities. 

Example Use Case: Unveiling Security Flaws with ChatGPT Generated Code 

To illustrate the real-world security implications of code generated by ChatGPT, let's consider an actual use case involving a simple task: logging user input. In the example in the video above, we prompted ChatGPT to create a Java application that logs user-supplied inputs to a standard logger. As expected, in just a few second, ChatGPT generates code that meets the functional requirements of the prompt: 

Asking ChatGPT to generate code

Those with a keen secure code eye will notice an issue with the code ChatGPT generated. While it meets the functional requirements of the prompt, the code contains a security flaw as written. The code logger.info("User input: " + userInput); fails to neutralize the user-supplied output making this vulnerable to a CRLF injection through a CWE-117 flaw.  

This scenario highlights a critical paradox:  if code generated by ChatGPT meets functional criteria but is riddled with vulnerabilities (– i.e. ChatGPT emulates the flawed code it is trained on…) it introduces risk and/or requires time-intensive remediation work that ultimately defeats the time-saving and productivity purpose in the first place.  

Veracode Fix and Specialized Generative AI for Code Remediation 

Generalist companion coding tools like ChatGPT have limits, especially when it comes to code security. Specialist generative AI coding tools like Veracode Fix built for the specific task of secure code remediation offer a solution. 

By utilizing a proprietary, curated dataset of reference patches connecting insecure code with remediated examples, Veracode Fix excels in its designated task of code remediation and offers reliable results without the licensing concerns that plague alternatives trained on open-source code. The tradeoffs are the time and effort to develop, train, and align a model. However, focusing on a specific use case enables an approach that emphasizes quality and specialization over breadth and generalization. 

Continuing with the example above, if we were to take the insecure code generated by ChatGPT, a static analysis of the code would identify the CRLF injection flaw. However, instead of trying to manually rewrite and remediate the code (which may take longer than just writing the code from scratch), we can use Veracode Fix to generate a fix for the ChatGPT-generated code to have a functional and secure application in just a few seconds without manually writing any code. 

Veracode Static Analysis has identified a CWE-117 flaw in the code generated by ChatGPT

Veracode Static Analysis has identified a CWE-117 flaw in the code generated by ChatGPT.

Veracode Fix has remediated the CWE-117 flaw by using a URLEncoder

Veracode Fix has remediated the CWE-117 flaw by using a URLEncoder to neutralize the user-supplied input that is being logged.

Collaborative AI – Secure software development takes more than a companion… It takes a crew. 

In the pursuit of accelerating secure software development, the concept of not just generative but collaborative AI is emerging. Just as we need to cultivate different skillsets and collaboration in a team, so too do we need to build skillsets and collaboration in generative AI solutions.  

Instead of relying solely on a lone sidekick, hero developers will surround themselves with generative AI skills to successfully navigate the complexities of secure software development faster than ever. Imagine a synergy where specialized AIs harmoniously contribute, ensuring both functionality and security. This collaborative ecosystem mitigates the shortcomings of generalist AIs unlocking their full promise. By embracing collaboration, we elevate our ability to produce secure, efficient, and reliable code. 

In the dynamic landscape of generative AI coding, the quest to optimize both productivity and security reveals a complex interplay of possibilities and limitations. While generalist tools like ChatGPT present a compelling proposition for code generation, its limitations – especially around code security – underscore the need for specialized approaches like Veracode Fix. But these are not mutually exclusive solutions – quite the contrary. Through collaboration among developers and generative AI, we pave the way for a future where AI augments our capabilities and empowers us to produce code that is not only functional but also secure.  

As we navigate this evolving landscape, the integration of AI into our coding practices will shape the future of software development, leading those who embrace it toward a more productive and more secure era. Start your journey to save time and secure more today by getting a demo of Veracode Fix.  

Related Posts

By Devin Maguire

Devin is a Sr. Product Marketing Manager helping customers confidently deliver secure software faster by placing developers and security practitioners at the fulcrum of Veracode’s product positioning and messaging.