Papers
Topics
Authors
Recent
Search
2000 character limit reached

Evaluating the Impact of ChatGPT on Exercises of a Software Security Course

Published 18 Sep 2023 in cs.CY | (2309.10085v1)

Abstract: Along with the development of LLMs, e.g., ChatGPT, many existing approaches and tools for software security are changing. It is, therefore, essential to understand how security-aware these models are and how these models impact software security practices and education. In exercises of a software security course at our university, we ask students to identify and fix vulnerabilities we insert in a web application using state-of-the-art tools. After ChatGPT, especially the GPT-4 version of the model, we want to know how the students can possibly use ChatGPT to complete the exercise tasks. We input the vulnerable code to ChatGPT and measure its accuracy in vulnerability identification and fixing. In addition, we investigated whether ChatGPT can provide a proper source of information to support its outputs. Results show that ChatGPT can identify 20 of the 28 vulnerabilities we inserted in the web application in a white-box setting, reported three false positives, and found four extra vulnerabilities beyond the ones we inserted. ChatGPT makes nine satisfactory penetration testing and fixing recommendations for the ten vulnerabilities we want students to fix and can often point to related sources of information.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (18)
  1. OWASP, “Owasp top ten,” 2023. [Online]. Available: https://owasp.org/www-project-top-ten/
  2. Fireforx, “Firefox web developer tool.” [Online]. Available: https://firefox-dev.tools/
  3. Postman, “Postman,” 2023. [Online]. Available: https://www.postman.com/
  4. OWASP, “Owasp zed attack proxy.” [Online]. Available: https://owasp.org/www-project-zap/
  5. Tenable, “Nessus vulnerability assessment.” [Online]. Available: https://www.tenable.com/products/nessus
  6. OWASP, “Web security testing guide 4.2,” 2023. [Online]. Available: https://owasp.org/www-project-web-security-testing-guide/v42/
  7. OpenAI, “Chatgpt,” 2023. [Online]. Available: https://openai.com/blog/chatgpt
  8. ——, “Gpt4,” 2023. [Online]. Available: https://openai.com/product/gpt-4
  9. B. A. Becker, P. Denny, J. Finnie-Ansley, A. Luxton-Reilly, J. Prather, and E. A. Santos, “Programming is hard–or at least it used to be: Educational opportunities and challenges of ai code generation,” arXiv preprint arXiv:2212.01020, 2022.
  10. J. Finnie-Ansley, P. Denny, B. A. Becker, A. Luxton-Reilly, and J. Prather, “The robots are coming: Exploring the implications of openai codex on introductory programming,” in Proceedings of the 24th Australasian Computing Education Conference, ser. ACE ’22.   New York, NY, USA: Association for Computing Machinery, 2022, p. 10–19. [Online]. Available: https://doi.org/10.1145/3511861.3511863
  11. C. Tony, M. Balasubramanian, N. E. Díaz Ferreyra, and R. Scandariato, “Conversational devbots for secure programming: An empirical study on skf chatbot,” in Proceedings of the International Conference on Evaluation and Assessment in Software Engineering 2022, 2022, pp. 276–281.
  12. M. Chen, J. Tworek, H. Jun, Q. Yuan, H. P. d. O. Pinto, J. Kaplan, H. Edwards, Y. Burda, N. Joseph, G. Brockman et al., “Evaluating large language models trained on code,” arXiv preprint arXiv:2107.03374, 2021.
  13. F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl, “Stack overflow considered harmful? the impact of copy&paste on android application security,” in 2017 IEEE Symposium on Security and Privacy (SP).   IEEE, 2017, pp. 121–136.
  14. N. Perry, M. Srivastava, D. Kumar, and D. Boneh, “Do users write more insecure code with ai assistants?” arXiv preprint arXiv:2211.03622, 2022.
  15. S. Santhanam, T. Hecking, A. Schreiber, and S. Wagner, “Bots in software engineering: a systematic mapping study,” PeerJ Computer Science, vol. 8, p. e866, 2022.
  16. Secure Code Warrior, “Secure code warrior.” [Online]. Available: https://www.securecodewarrior.com/
  17. OpenAI, “Gpt-4 technical report,” 2023.
  18. M. Meucci and A. Muller, “Owasp testing guide, v4,” OWASP Foundation, vol. 4, pp. 14–23, 2014.
Citations (5)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up