Existing malicious code detection techniques demand the integration of multiple tools to detect different malware patterns, often suffering from high misclassification rates. Therefore, malicious code detection techniques could be enhanced by adopting advanced, more automated approaches to achieve high accuracy and a low misclassification rate. We present SocketAI, a malicious code review workflow to detect malicious code. Our baseline comparison demonstrates a 16% and 9% improvement over static analysis in precision and F1 scores, respectively. GPT-4 achieves higher accuracy with 99% precision and 97% F1 scores, while GPT-3 offers a more cost-effective balance at 91% precision and 94% F1 scores. Prescreening files with a static analyzer reduces the number of files requiring LLM analysis by 77.9% and decreases costs by 60.9% for GPT-3 and 76.1% for GPT-4. 

With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack. We proposed six signals of security weaknesses in npm software supply chain: 1) expired email domain; 2) install scripts; 3) unmaintained packages; 4) too many maintainers; 5) too many contributors, and 6) overloaded maintainers.

The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics in the npm and PyPI ecosystems to identify the security gaps and recommend practical automated security practices to practitioners. Our ML models showed Code-Review, Maintained, Branch Protection, and Security Policy as the most important metrics to improve package security..

Do I really need all this work to find vulnerabilities?

To build secure software while addressing the ever-growing attack surface, practitioners must utilize the available resources as efficiently as possible to remove the most vulnerabilities from software. Practitioners often use different technologies that optimize resources and increase efficiency to improve vulnerability detection efforts while not expanding the resources. Therefore, practitioners can benefit from guidance in selecting vulnerability detection and prevention techniques and tools. We apply six different categories of vulnerability detection and prevention techniques—SMPT, EMPT, DAST, IAST, RASP, and SAST—to a large Java application of an open-source medical records system to compare vulnerability detection techniques.