As a certified AI Hater, I do have to say: We seem to have found one (1) use-case for LLMs where they're useful and (can be) prosocial: Finding software vulnerabilities.
-
As a certified AI Hater, I do have to say: We seem to have found one (1) use-case for LLMs where they're useful and (can be) prosocial: Finding software vulnerabilities.
This wasn't true a few months ago, but it seems the scales have finally tipped.
It ticks the boxes for me:
- Verifiable
- "Generative" aspect is limited
- Utility that isn't just replacing human labor(I don't *like* it, and I don't know how the overall cost/benefit shakes out, but... this does seem to be legit. Just be wary of the hype.)
-
As a certified AI Hater, I do have to say: We seem to have found one (1) use-case for LLMs where they're useful and (can be) prosocial: Finding software vulnerabilities.
This wasn't true a few months ago, but it seems the scales have finally tipped.
It ticks the boxes for me:
- Verifiable
- "Generative" aspect is limited
- Utility that isn't just replacing human labor(I don't *like* it, and I don't know how the overall cost/benefit shakes out, but... this does seem to be legit. Just be wary of the hype.)
Before reaching for an LLM for finding vulnerabilities in your own project, you should probably still be:
- Testing
- Linting
- Running other existing, algorithmic static analysis tools for security
- Fuzzing
- Looking at new and existing security bugs and looking for other bugs of the same type *and* findings ways to make each type of bug harder to introduce in the futureWith those already in place, LLMs still don't seem to have a major advantage. I'm curious whether that will change, though.
-
R relay@relay.infosec.exchange shared this topic
