AI detects vulnerabilities
I was write about the ability for artificial intelligence to automatically detect code vulnerabilities since at least 2018. This is an ongoing area of research: AI scanning source code, AI finding zero days in the wild, and everything in between. AI isn’t very good at this yet, but it’s getting better.
Here are some anecdotal information from this summer:
From July 2024, ZeroPath takes a new approach, combining deep program analysis with competitive AI agents for verification. Our methodology identified many critical vulnerabilities in production systems, including several that traditional static application security testing (SAST) tools were insufficient to detect. This post provides a deep technical dive into our research methodology and a live summary of bugs found in popular open source tools.
Expect many developments in this area over the next few years.
This is what I am said in a recent interview:
Let’s focus on the software. Imagine we have artificial intelligence that finds software vulnerabilities. Yes, attackers can use these AIs to hack systems. But defenders can use the same artificial intelligence to find software vulnerabilities and then patch them. This capability, if it exists, will likely be built into the standard software development toolkit. We can imagine a future where all vulnerabilities that are easy to find (not all vulnerabilities; there are many theoretical results about this) are removed in software before shipping.
When that day comes, all old code will be vulnerable. But all new code will be safe. And eventually, these software vulnerabilities will be a thing of the past. In my head, some future programmer shakes his head and says, “Remember the early decades of this century when software was full of vulnerabilities? That’s before the AI found them all. Wow, it was a crazy time.” We are not there yet. We’re not even close to there. But this is a reasonable extrapolation.
