Category: AI productivity

The Showdown: SAST vs. Github Copilot – who can find the most vulnerabilities?

Håkon OlsenLeave a comment

Vibe coding is popular, but how good does “vibe security” compare to throwing traditional SAST tools at your code? “Vibe security review” seems to be a valuable addition to the aresenal here, and performs better than both Sonarqube and Bandit!

Here’s an intentionally poorly programmed Python file (generated by Le Chat with instructions to create a vulnerable and poorly coded text adventure game): 

import random
import os

class Player:
    def __init__(self, name):
        self.name = name
        self.hp = 100
        self.inventory = []

    def add_item(self, item):
        self.inventory.append(item)

def main():
    player_name = input("Enter your name: ")
    password = "s3Lsnqaj"
    os.system("echo " + player_name)
    player = Player(player_name)
    print(f"Welcome, {player_name}, to the Adventure Game!")

    rooms = {
        1: {"description": "You are in a dark room. There is a door to the north.", "exits": {"north": 2}},
        2: {"description": "You are in a room with a treasure chest. There are doors to the south and east.", "exits": {"south": 1, "east": 3}},
        3: {"description": "You are in a room with a sleeping dragon! There is a door to the west.", "exits": {"west": 2}},
    }

    current_room = 1

    while True:
        room = rooms[current_room]
        print(room["description"])

        if current_room == 3:
            action = input("Do you want to 'fight' the dragon or 'flee'? ").strip().lower()
            if action == "fight":
                if random.randint(0, 1):
                    print("You defeated the dragon and found the treasure! You win!")
                else:
                    print("The dragon defeated you. Game over!")
                break
            elif action == "flee":
                current_room = 2
                continue

        command = input("Enter a command (go [direction], get [item]): ").strip().lower()

        if command.startswith("go "):
            direction = command.split("go ")[1]
            if direction in room["exits"]:
                current_room = room["exits"][direction]
            else:
                print("You can't go that way.")
        elif command.startswith("get "):
            item = command.split("get ")[1]
            player.add_item(item)
            print(f"You picked up {item}.")
        else:
            print("Invalid command.")

if __name__ == "__main__":
    main()

The code is made unnecessarily complex, and allows user input to be injected directly into the command line. It also has a hardcoded “password” that is not really used for anything. Let’s check the security of this with 3 methods:

  1. Sonarqube Cloud (free version)
  2. Bandit (Python SAST tool)
  3. Github Copilot with GPT-o4

Sonarqube is run with the default ruleset “Sonar Way” with no extra configuration effort. The scan detects “2 security hotspots” and some maintainability issues. A security hotspot is a potential weakness that the SAST tool can’t conclude on, and will require manual review.

The first hotspot is the “password”:

Sonarqube also gives guidance on how to assess if this is dangerous, and how to fix it, which is quite helpful. The other hotspot is “weak cryptography” when the game is using random.randint to choose whether fight or flee is the winning strategy when encountering a dragon – not a (software) security issue. Dragons can be dangerous, though!

Now, let’s try Bandit.

Badit did its job – and provides links to more information, including CWE references. Blue is “not good” and red is “bad”.

OK, now for Github Copilot.

Prompt – and then followed by the formatted report! 

You are a professional software quality expert and security test engineer. Please review this code and provide an overview of security weaknesses with references to CWE's, and suggested fixes. Analyse the current file. Create the output as a security vulnerability report in markdown format.

Security Vulnerability Report for spaghetti.py

This report provides an analysis of the security weaknesses in the provided spaghetti.py file. Each vulnerability is referenced with its corresponding Common Weakness Enumeration (CWE) and includes suggested fixes.

Vulnerabilities

1. Hardcoded Password

  • Description: The password is hardcoded in the file (password = "s3Lsnqaj"), making it vulnerable to exposure if the file is shared or accessed by unauthorized users.
  • CWE Reference: CWE-798: Use of Hard-coded Credentials
  • Impact: Hardcoded passwords can lead to unauthorized access to sensitive resources.
  • Suggested Fix:
    • Store the password securely using environment variables or a secrets management tool.
    • Example:
      import os
password = os.getenv("GAME_PASSWORD")
if not password:
    raise ValueError("Password not set in environment variables")

2. Command Injection

  • Description: The os.system call uses unsanitized user input (os.system("echo " + player_name)), which can lead to command injection if a malicious user provides crafted input.
  • CWE Reference: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Impact: A malicious user could execute arbitrary system commands, potentially compromising the host system.
  • Suggested Fix:
    • Use safer alternatives like subprocess.run with proper input sanitization.
    • Example:
      import subprocess
subprocess.run(["echo", player_name], check=True)

3. Unvalidated User Input

  • Description: User input (player_name, action, command) is not validated or sanitized, which can lead to unexpected behavior or vulnerabilities.
  • CWE Reference: CWE-20: Improper Input Validation
  • Impact: Unvalidated input can lead to crashes, security vulnerabilities, or incorrect program behavior.
  • Suggested Fix:
    • Validate and sanitize all user inputs.
    • Example:
      player_name = input("Enter your name: ").strip()
if not player_name.isalnum() or len(player_name) > 50:
    print("Invalid name. Please enter a valid name.")
    return

4. Predictable Randomness

  • Description: The use of random.randint(0, 1) for critical game logic (e.g., dragon fight outcome) is predictable and not cryptographically secure.
  • CWE Reference: CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • Impact: Predictable randomness can lead to unfair or exploitable outcomes in the game.
  • Suggested Fix:
    • Use a cryptographically secure random number generator if randomness is critical.
    • Example:
      import secrets
if secrets.choice([True, False]):
    print("You defeated the dragon and found the treasure! You win!")
else:
    print("The dragon defeated you. Game over!")

5. No Input Length Restriction

  • Description: The player_name input does not restrict the length, which could lead to buffer overflow or other issues in certain scenarios.
  • CWE Reference: CWE-1283: Improper Validation of Specified Quantity in Input
  • Impact: Excessively long input could cause performance issues or crashes.
  • Suggested Fix:
    • Limit the length of user input and validate it.
    • Example:
      player_name = input("Enter your name: ").strip()
if len(player_name) > 50:
    print("Name too long. Please enter a shorter name.")
    return

6. No Error Handling

  • Description: The code lacks error handling for invalid commands, missing keys in dictionaries, or unexpected input.
  • CWE Reference: CWE-703: Improper Check or Handling of Exceptional Conditions
  • Impact: The program may crash or behave unpredictably when encountering errors.
  • Suggested Fix:
    • Add proper exception handling to ensure the program handles errors gracefully.
    • Example:
      try:
    direction = command.split("go ")[1]
    if direction in room["exits"]:
        current_room = room["exits"][direction]
    else:
        print("You can't go that way.")
except KeyError:
    print("Invalid room configuration.")
except Exception as e:
    print(f"An unexpected error occurred: {e}")

Summary

The code contains several vulnerabilities that could compromise its security and reliability. Addressing these issues will improve the robustness and safety of the application.

Recommendations

  1. Replace hardcoded sensitive information with secure storage methods.
  2. Avoid using os.system with unsanitized input; use safer alternatives like subprocess.run.
  3. Validate all user inputs and restrict their length to prevent unexpected behavior.
  4. Use proper error handling to ensure the program does not crash due to invalid input or unexpected conditions.
  5. Consider using cryptographically secure randomness for critical game logic if necessary.

By implementing these fixes, the code will be more secure and maintainable.

Summary

Using Copilot to do a security review and generate a report created the most thorough assessment, which is not surprising. Bandit did quite well and detected the actually dangerous injection vulnerability. Sonarqube provides a nice UI but did not detect the one actually serious vulnerability here.

Mastering Your AI Kitchen: Crafting AI Prompts for Business Efficiency & Enhanced Learning

Håkon OlsenLeave a comment

Welcome to your personal AI Kitchen! In today’s fast-paced business world, time is your most precious ingredient, and Artificial Intelligence (AI) tools are the revolutionary kitchen gadgets you didn’t know you needed. Just like a great chef uses precise instructions to create a culinary masterpiece, mastering the art of “prompt engineering” for AI is your secret to unlocking unparalleled efficiency and supercharging your learning journey with generative AI.
Inspired by the “AI Prompt Cookbook for Busy Business People,” let’s dive into how you can whip up amazing results with AI for business.

Now everyone can have their own executive assistant – let AI help you male your day easier and more pleasant to navigate.

The Secret Ingredients: Mastering the Art of AI Prompting


Think of your AI tool as an incredibly smart assistant, often powered by Large Language Models (LLMs). The instructions you give it – your “AI prompts” – are like detailed recipe cards. The better your recipe, the better the AI’s “dish” will be. The “AI Cookbook” highlights four core principles for crafting effective AI prompts:


Clarity (The Well-Defined Dish): Be specific, not vague. When writing AI prompts, tell the AI exactly what you want, leaving no room for misinterpretation. If you want a concise definition of a complex topic, specify the length and target audience for optimal AI efficiency.


Context (Setting the Table): Provide background information. Who is the email for? What is the situation? The more context you give in your AI prompt, the better the AI understands the bigger picture and tailors its response, leading to smarter AI solutions.


Persona (Choosing Your AI Chef): Tell the AI who to act as or who the target audience is. Do you want it to sound like a witty marketer, a formal business consultant, or a supportive coach? Defining a persona helps the AI adopt the right tone and style, enhancing the quality of AI-generated content.


Format (Plating Instructions): Specify the desired output structure. Do you need a bulleted list, a paragraph, a table, an email, or even a JSON object? This ensures you get the information in the most useful way, making AI for productivity truly impactful.


By combining these four elements, you transform AI from a generic tool into a highly effective, personalized assistant for digital transformation.


AI for Work Efficiency: Automate, Accelerate, Achieve with AI Tools


Well-crafted AI prompts are your key to saving countless hours and boosting business productivity. Here’s how AI, guided by your precise instructions, can streamline your work processes:


Automate Repetitive Tasks: Need to draft a promotional email, generate social media captions, or outline a simple business plan? Instead of starting from scratch, a clear AI prompt can give you a high-quality first draft in minutes. This frees you from mundane tasks, allowing you to focus on AI strategy and human connection.


Generate Ideas & Summarize Information: Facing writer’s block for a blog post series? Need to quickly grasp the key takeaways from a long market report? AI tools can brainstorm diverse ideas or condense lengthy texts into digestible summaries, accelerating your research and content creation efforts.


Streamline Communication: From crafting polite cold outreach emails to preparing for challenging conversations with employees, AI can help you structure your thoughts and draft professional messages, ensuring clarity and impact across your business operations.


The power lies in your ability to instruct. The more precise your “recipe,” the more efficient your “AI chef” becomes, driving business automation and operational excellence.


AI for Enhanced Learning: Grow Your Skills, Faster with AI


Beyond daily tasks, AI is a phenomenal tool for continuous learning and competence development. It’s like having a personalized tutor and research assistant at your fingertips:
Identify Key Skills: Whether you’re looking to upskill for a new role or identify crucial competencies for an upcoming project, AI can generate lists of essential hard and soft skills, complete with explanations of their importance for professional development.


Outline Learning Plans: Want to master a new software or understand a complex methodology? Provide AI with your current familiarity, time commitment, and desired proficiency, and it can outline a structured learning plan with weekly objectives and suggested resources for AI-powered learning.


Generate Training Topics: For team leads, AI can brainstorm relevant and engaging topics for quick team training sessions, addressing common challenges or skill gaps. This makes professional development accessible and timely.


Structure Feedback: Learning and growth are fueled by feedback. AI can help you draft frameworks for giving and receiving constructive feedback, making these conversations more productive and less daunting.


AI empowers you to take control of your learning, making it more targeted, efficient, and personalized than ever before.


Your AI Kitchen Rules: Cook Smart, Cook Ethically


As you embrace AI in your daily operations and learning, remember these crucial “kitchen rules” from the “AI Cookbook”:


Always Review and Refine: AI-generated content is a fantastic starting point, but it’s rarely perfect. Always review, edit, and add your unique human touch and expertise. You’re the head chef!


Ethical Considerations: Be mindful of how you use AI. Respect privacy, avoid plagiarism (cite sources if AI helps with research that you then use), and ensure your AI-assisted communications are honest and transparent. For a deeper dive into potential risks, especially concerning AI agents and cybersecurity pitfalls, you might find this article insightful: AI Agents and Cybersecurity Pitfalls. Never input sensitive personal or financial data into public AI tools unless you are certain of their security protocols and terms of service.


Keep Experimenting: The world of AI is evolving at lightning speed. Stay curious, keep trying new prompts, and adapt the “recipes” to your specific needs. The more you “cook” with AI, the better you’ll become at it.


The future of business is undoubtedly intertwined with Artificial Intelligence. By embracing AI as a collaborative tool, you can free up valuable time, automate mundane tasks, spark new ideas, and ultimately focus on what you do best – building and growing your business and yourself.


So, don’t be afraid to get creative in your AI kitchen, and get ready to whip up some amazing results. Your AI-powered business future is bright!


Ready to master your AI kitchen? Unlock even more powerful “recipes” and transform your business today! Get your copy of the full AI Prompt Cookbook here: Master Your AI Kitchen!

Transparency; AI helped write this post.