TL;DR:
- Code Intelligence introduces CI Spark, an AI assistant for software security testing.
- CI Spark automates the identification of attack surfaces and test code generation, reducing manual effort significantly.
- The collaboration with Google’s OSS-Fuzz resulted in the discovery of over 50 CVEs.
- CI Spark combines LLM’s code analysis and AI-driven white-box testing.
- Key advantages include automatic identification of fuzzing candidates, leveraging existing unit tests, and interactive test generation.
- CI Spark enhances existing tests to increase code coverage.
- CEO Sergej Dechand highlights that CI Spark accelerates white-box test creation by 15 times.
- CI Spark supports JavaScript/TypeScript, Java, and C/C++ with plans for broader language compatibility.
- A rollout for commercial projects is in progress.
Main AI News:
In a groundbreaking move, Code Intelligence has introduced CI Spark, a cutting-edge AI-powered assistant tailored for software security assessments. CI Spark represents a significant leap in simplifying the complex task of identifying potential attack vectors and generating corresponding test code, thereby drastically reducing the manual effort involved. According to the company, what once consumed hours of a developer’s time can now be accomplished in mere minutes. In a remarkable collaboration with Google’s OSS-Fuzz, CI Spark has already played a pivotal role in uncovering more than 50 CVEs (Common Vulnerabilities and Exposures).
At its core, CI Spark harnesses the power of LLM’s (Language Model) code analysis and test generation capabilities in conjunction with AI-driven white-box testing. This formidable duo is guided by a comprehensive set of prompts specifically designed to pinpoint security-critical functions and automatically construct top-tier tests for them. Notably, Code Intelligence’s feedback-based fuzzing functionalities can utilize these prompts as a starting point for their self-improvement algorithms. The advantages of this pioneering approach to test creation are manifold:
- Automatic Identification of Fuzzing Candidates: CI Spark provides a meticulously curated list of public functions and methods that serve as ideal entry points for fuzz tests.
- Leveraging Existing Unit Tests: The inclusion of unit tests that invoke the candidate API can be utilized as valuable hints for CI Spark. These tests provide concrete examples of the correct utilization of the API, resulting in more robust tests.
- Automatic Test Generation: CI Spark empowers users to swiftly generate fuzz tests for their selected candidates. An interactive mode facilitates user interaction, allowing them to provide guidance to the AI, thereby enhancing the quality of the generated tests and rectifying any potential errors.
- Enhancing Existing Tests: For those who already possess fuzz tests, CI Spark steps in to assist in optimizing and augmenting these tests to enhance code coverage.
Sergej Dechand, CEO and Co-Founder of Code Intelligence, expressed the significance of this innovative AI assistant, stating, “Code Intelligence’s new AI-assistant, CI Spark, is addressing the tradeoff between development speed and security that many dev teams still have to make. By combining the power of LLMs with self-learning AI, the solution empowers engineers to create white-box tests 15 times faster than before.”
Notably, CI Spark has already proven its mettle by aiding Code Intelligence engineers in identifying more than 50 CVEs, encompassing vulnerabilities such as SQL/Command Injections, XSS (Cross-Site Scripting), and Remote Code Executions. This achievement occurred during its initial deployment in tandem with Google’s OSS-Fuzz, a project dedicated to continually fortifying the security of open-source projects. To further bolster software security, the Google Security team has recently incorporated a similar functionality into OSS-Fuzz, with a specific focus on C/C++. It’s important to mention that Code Intelligence’s CI Spark currently supports fuzz tests for JavaScript/TypeScript, Java, and C/C++, with plans to expand its compatibility to other programming languages in the near future. The company is diligently working on making CI Spark available for commercial projects, marking a pivotal moment in the realm of software security.
Conclusion:
The introduction of CI Spark represents a significant advancement in software security testing, streamlining the process and enabling rapid identification of vulnerabilities. Its collaboration with OSS-Fuzz and focus on increasing code coverage signify a positive shift towards more secure software development practices. The market can anticipate increased efficiency and effectiveness in identifying and mitigating security risks.