If I say I am going to ask my developers not to use GPT for their work, think about what would happen. The practical way to approach GPT usage for programming is to see how we can embrace it and address the concerns. In this article, let us look at the things that we need to pay attention as security testing tips for GPT.
There are many facets of GPT usage, but security is one of the topmost aspect that we need to consider. From wrong coding answers, to answers that could expose private data to the Internet, GPT usage comes with issues that we need to be aware of and tackle. Let us look at the basic principles to get started.
Security considerations in design and code
Code snippets that GPT gives do not have security considerations out of the box. We should not take what GPT recommends as is and copy and paste that code as implementation. When the prompt for code does not specifically ask for secure code, one will never get it. Even if asked for, it is mostly probable that you will not get the correct secure code as GPT might not have the full picture of what is being implemented and what are the security considerations. We have to consider this fact when using the code generated by GPT.
Security Testing Tips for GPT: policies, awareness, and education
CISOs should device security policies for teams, sitting along with the entire team, and also educate and create awareness about the pitfalls of GPT-generated code and how to avoid them. Exposing private data, private databases, developer keys, etc. to GPT should be prevented. Secure by design principles should be adhered to, and security should not be just a checkmark, but an active engagement with the developers and the team.
OWASP Top 10 For LLMs
OWASP Top 10 for LLMs have been released, and it would serve as a guidance for things to take care of while devising security policies for GPTs. It is a new, evolving field with threats being looked into. Things like prompt injection are still being looked at and it would be best to take care of policies related to these updates as early as possible in the organisations.
Library And Package Recommendations by LLMs
Library and packages are a rich source of hacking possibilities. Combined with social engineering on websites that point to malicious packages, they are a potent area for security vulnerabilities. Developers, while using GPTs for their implementations should be extra cautious about looking at the libraries and packages recommended by LLMs. Packages that don’t exist and recommended by LLMs could be created by hackers and hence, more than ever, applying the security principles around packages is so important.
To summarize, it is best to assume that your development team will use GPT for their programming work and make security policies, procedures, and practices accordingly. Embracing this new technology is a challenge. Whether it is an opportunity to reduce coding effort and time is something that only time can answer. For now, one could consider the security testing tips for GPT that are mentioned above.
For more detailed discussion on these topics, please feel free to contact me.