GitHub is not only using large language models (LLMs) to discover potential code vulnerabilities, but the company also utilizes these powerful models to detect leaked passwords and reduce false positives.

GitHub foresees the critical role of artificial intelligence in the software development lifecycle, including security aspects. Over the past year, the company has integrated more than 70 features into GitHub Advanced Security. However, at the GitHub Universe conference held in November 2023, it announced the inclusion of generative AI.

The company now believes that security vulnerabilities can be identified during the code writing phase. By leveraging an LLM, GitHub can now not only identify potential vulnerabilities but also provide secure code recommendations from the beginning for developers.

"With automated fixes, we will suggest remediation plans in pull requests. So, developers will not only see alerts but also see advisory fixes provided by AI," said Jacob Depriest, Vice President and Deputy Chief Security Officer of GitHub, in an interview with AIM.

These are not ordinary fixes. They are concise, actionable recommendations for quickly understanding and resolving vulnerabilities. Developers can now address issues more quickly and prevent new vulnerabilities from silently entering their codebase.

Depriest said GitHub has seen tremendous success with this new feature, "This means that when developers receive alerts while working, they resolve the issues before the code goes into production about 50% of the time, which is crucial."

Protecting Secrets with AI

GitHub uses LLMs not only to discover potential code vulnerabilities but also to detect leaked passwords and reduce false positives.

According to Depriest, almost 80% of security vulnerabilities are caused by credential or confidential leaks. "Secret scanning has always been a core part of GitHub Advanced Security and a key component of our security roadmap.

"Now, with artificial intelligence, we will also detect common secrets and low-confidence patterns in the code, significantly enhancing this capability and capturing and protecting them before secrets even enter production."

In addition, Depriest believes that security issues start with developers, or more precisely, with developers' accounts. Considering the prevalence of credential leaks, it has chosen to strongly promote enabling multi-factor authentication for all contributors on github.com.

"This is not an easy or quick task. It requires a lot of planning and investment to achieve. But we truly believe it is the right thing to do," he said.

Now, with the introduction of the new secret scanning feature, GitHub can detect common or unstructured secrets in the code.

Protecting against AI Vulnerabilities

Although GitHub is optimistic about leveraging artificial intelligence in cybersecurity, the era of generative AI also presents various scenarios where it becomes a substantial cybersecurity threat. For example, prompt injection attacks remain a significant challenge for cybersecurity teams. Over time, we have seen LLMs being susceptible to prompt injection attacks.

Given GitHub's close alliance with Microsoft, it may be leveraging OpenAI's GPT models, particularly the state-of-the-art GPT-4. However, it has also been found that GPT-4 is vulnerable to prompt injection attacks.

Depriest believes that responsible integration and security measures within the tool are crucial for mitigating such manipulations. This approach is essential for protecting against prompt injection and similar vulnerability scenarios.

Furthermore, according to Depriest, in the era of AI, protecting infrastructure and the entire network workspace remains a key aspect of cybersecurity.

"We treat this responsibility with the same diligence as protecting github.com. This includes threat detection, secure operations, and ensuring code security, and it applies to AI models as well. We maintain unified controls and compliance principles in all aspects of our core responsibility."

Does AI fundamentally change cybersecurity?

Although GitHub heavily relies on generative AI capabilities, including for cybersecurity, Depriest does not believe it fundamentally changes the cybersecurity landscape.

"The reality is that every new technology is dual-use. This pattern has remained consistent across various technologies over the past two decades. I still don't think it fundamentally changes our approach to security, what we need to do, what our job is, and how we will maintain the platform's security."

He firmly believes that the advantage of generating secure code from the beginning and continuously maintaining its security outweighs the potential risks associated with certain threats.