Generative AI is changing the way security research is done. By making use of four new tools, Tenable has shown that many of the labor-intensive and complex tasks associated with security research can be automated, speeding up the process and aiding researchers in their tasks.
G-3PO, an NSA-developed tool to disassemble and decompile code, can be used by researchers to better understand a given code or program in order to identify potential vulnerabilities. It can take a piece of code and break it down into human-readable explanations, reducing the time and effort it takes to analyze code.
Similarly, BurpGPT is an extension for application testing software Burp Suite that uses GPT-4 to analyze HTTP requests and responses, making it easier for developers to identify cross-site scripting (XSS) vulnerabilities and misconfigured HTTP headers.
Tenable’s research team has also developed a tool for finding IAM policy misconfigurations in Amazon Web Services. Called EscalateGPT, the tool collects IAM policies and sends them to the OpenAI API to be analyzed. The output of this analysis will identify any potential privilege-escalation opportunities, and advise mitigation strategies to fix the vulnerability.
Overall, these new tools demonstrate that generative AI tools like GPT-4 can play an important role in helping security teams, especially when it comes to processing and understanding code. While the output still needs to be checked manually, GPT-4 tools can act as a force multiplier, reducing labor-intensive and complex work needing to be done by experienced researchers.
Tenable is a leading provider of security solutions, helping organizations build and run secure, compliant and connected networks by delivering the most effective and automated cybersecurity technology in the industry. Founded in 2002 and based in Columbia, Maryland, Tenable has emerged as one of the most innovative and forward-thinking forces in cybersecurity.
Olivia Fraser is one of Tenable’s Zero-Day Researchers, and developed the tool G-3PO. She has worked with the company since 2019, and is passionate about finding ways to expand cyber security processes and enhance their effectiveness. In her YouTube video discussing the tool, Olivia stressed the importance of double-checking the tool’s output for accuracy.