Talk at the W-JAX
Improving Application Security Analyses Using LLMs
About the talk
Even if current frameworks and libraries make it increasingly difficult for developers to (accidentally) introduce serious security problems into their applications, this topic generally does not lose its importance; in many companies, an opposite "expectation" can even be observed. With the emergence of powerful AI systems, equipped with sometimes impressive programming skills, the idea of improving, accelerating, and automating processes in the security environment through these systems logically arose.
In this session, we would like to present our approach to how classic, mature (closed and open source) scanning software (SAST, SCA…) can be combined with the capabilities of modern Large Language Models (LLM) in order to
- effectively get a handle on technologically induced large false-positive quantities
- focus attention on the really important findings from the start
- obtain support in understanding and evaluating findings
- without losing focus, and also being able to fall back on more (specialized) tools in combination
For empirical data, we manually and via LLM evaluated many thousands of findings and compared the results. Based on this, in addition to tips for your own implementation, the presentation will also highlight the (quality) differences when working with free and proprietary LLMs and discuss do's and don'ts for prompting.
Munich or Online, Wednesday, November 06, 2024 – 15:15 – 16:15
