Check out why ChatGPT’s code analysis skills left Carnegie Mellon researchers unimpressed. Plus, JCDC will put special focus on critical infrastructure security in 2024. Meanwhile, CISA and OpenSSF shine a spotlight on the security of software package repositories. And scammers leveraged tech tools to steal $10 billion from U.S. consumers last year. And much more!
Dive into six things that are top of mind for the week ending February 16.
Thinking of using ChatGPT to detect flaws in your code? You’ll have to double-check that its findings are accurate.
That’s the conclusion of a research team from Carnegie Mellon University. The researchers, from the CERT Division of the university’s Software Engineering Institute (SEI), tested ChatGPT 3.5’s ability to examine noncompliant software code examples using the SEI CERT C Coding Standard.
The results show that “while ChatGPT 3.5 has promise, there are clear limitations,” Mark Sherman, one of the researchers, wrote in the blog post “Using ChatGPT to Analyze Your Code? Not So Fast.”
So how did ChatGPT 3.5 fare at error detection? As the graph below shows, it succeeded less than half of the time.
(Source: CERT Division of Carnegie Mellon University’s Software Engineering Institute, February 2024)
The research also shows that ChatGPT 3.5's code-analysis accuracy varies depending on the type of coding error it encounters.
ChatGPT 3.5’s Rate of Discovery and Correction of Specific Coding Mistakes
(Source: CERT Division of Carnegie Mellon University’s Software Engineering Institute, February 2024)
So what’s the takeaway? Review ChatGPT 3.5’s output. Don’t trust it blindly.
Meanwhile, the researchers expect ChatGPT and other generative AI tools to get better at code analysis. For example, in preliminary testing, ChatGPT 4.0 performs better than ChatGPT 3.5, Sherman wrote.
To get all the details, read the blog post “Using ChatGPT to Analyze Your Code? Not So Fast.”
For more information about using AI tools and technology for cybersecurity tasks:
Defuse advanced persistent threat (APT) attacks against critical infrastructure. Improve critical infrastructure’s cybersecurity foundation. Accelerate cybersecurity innovation to curb emerging technology threats against critical infrastructure.
Notice a theme?
Those are the three main areas of focus this year for the Joint Cyber Defense Collaborative (JCDC), the group of government and private-sector organizations launched in 2021 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to collaborate on cybersecurity.
“These priorities will further expand the breadth and depth of our partnership to tackle more challenging, forward-leaning cyber risks that could evolve in the future, not just the immediate risks,” Clayton Romans, the JCDC’s Associate Director, wrote in a blog post this week.
More specific priorities include:
To get more details, check out:
For more information about protecting critical infrastructure from cyberattacks, check out these Tenable resources:
VIDEO
The Business Risk From a Ransomware Attack on OT Systems
Involved with boosting the security of your software supply chain? You may be interested in new guidance issued this week for better securing software package repositories.
Published by the Open Source Security Foundation (OpenSSF) in collaboration with CISA, the “Principles for Package Repository Security” framework aims to help those in charge of repositories assess and improve their security. The guidance could also help organizations better evaluate the security of the repositories they use.
“Compromises of widely used open source dependencies can have widespread consequences. Package repositories are at a critical point in the open source ecosystem to help prevent or mitigate such attacks,” reads a blog co-authored by OpenSSF and CISA representatives.
The framework, now in version 0.1, outlines four core areas of repository security – authentication, authorization, general capabilities, and command-line interface tooling. It also details four levels of security maturity – from level zero to level three – for each area.
For example, a package repository would be considered to have level-three security authentication if it:
To get all the details, check out:
For more information about software supply chain security:
During our webinar “When it Comes to Vulnerabilities, ‘Critical’ Doesn’t Always Mean ‘Critical,’” we took the opportunity to poll attendees about their vulnerability management programs. Check out what they said about their main VM challenges and their vulnerability-identification methods.
(286 respondents polled by Tenable in January 2024)
(321 respondents polled by Tenable in January 2024)
Watch the “When it Comes to Vulnerabilities, ‘Critical’ Doesn’t Always Mean ‘Critical’” webinar on-demand and learn how to establish an efficient and smooth patching process.
$10 billion. That’s how much consumers in the U.S. lost in 2023 to fraud, according to the U.S. Federal Trade Commission (FTC).
The losses, up 14% from 2022, are a new record, as fraudsters increasingly use technology to improve the speed, precision and sophistication of their scams.
“Digital tools are making it easier than ever to target hard-working Americans, and we see the effects of that in the data we're releasing today,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement.
In total, the FTC fielded 2.6 million fraud reports. Investment scams generated the most losses with $4.6 billion, an increase of 21%.
(Credit: Federal Trade Commission, February 2024)
And the top method used to target consumers? That’d be email, followed by good, old-fashioned phone calls, with text messages in third place.
To get more details, check out:
The U.S. government is offering up to $10 million for information that can lead to identifying or locating leaders of the Hive ransomware gang.
There’s another $5 million reward for information that leads to the arrest of anyone who participated, or tried to participate, in Hive ransomware activity.
The rewards are being offered by the U.S. State Department’s Transnational Organized Crime Rewards Program.
“We will continue to work with allies and partners to disrupt and deter ransomware actors that threaten the backbone of our economies and critical infrastructure,” the State Department said in a statement.
After striking more than 1,500 victims globally, Hive had its operations disrupted and dismantled in 2022 by the FBI in collaboration with international law enforcement agencies.
For more information about the ransomware threat:
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.