Application Security , Artificial Intelligence & Machine Learning , Governance & Risk Management

What Does AI Need to Conduct Automated Code Review at Scale?

Chris Anley of NCC Group on LLMs, False Positives and DARPA's AI Cyber Challenge
Chris Anley, chief scientist, NCC Group

How can generative artificial intelligence be adapted to automatically pinpoint and fix software vulnerabilities in large amounts of critical code?

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

Finding answers to that question is one of the "exciting prospects" tied to the AI Cyber Challenge recently announced by the White House, said Chris Anley, chief scientist at British cybersecurity consultancy NCC Group.

The $20 million challenge, run by the U.S. Defense Advanced Research Projects Agency, features Anthropic, Google, Microsoft and OpenAI contributing not just infrastructure but also in-house expertise to help guide participants (see: White House Debuts $20M Contest to Exterminate Bugs With AI).

"No doubt, there's going to be a huge amount of really exciting research that's going to come out of this," Anley said. "It's a really exciting effort squarely focused on a problem that's essential for the U.S. and U.K. national security and the security of our allies."

Participants will face challenges in the DARPA contest. Anley said large language models such as ChatGPT shouldn't currently be used to conduct code review, not least because of their propensity to hallucinate and make up answers. But finding ways to marry existing static code analysis tools' capabilities with LLMs could ultimately facilitate large-scale automated AI-driven code reviews.

In this video interview with Information Security Media Group, Anley also discussed:

  • Current challenges that preclude DevSecOps teams from using AI to conduct code reviews;
  • The potential offered by marrying code analysis tools with LLMs' natural language interface;
  • How AI could help overcome limits with static analysis tools, provide targeted guidance and markedly reduce false positives in code review.

Anley is chief scientist at NCC Group. He has been carrying out security audits since 1996, performing thousands of penetration tests, code reviews and design reviews on a variety of platforms, languages and architectures for many of the world's largest companies. He promotes, advises and assists with NCC Group research programs, and he carries out independent research into new and emerging security threats.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.