Security Audit with Generative AI 🤖🔒

Why rely on AI for security? 🧐

Generative AI never sleeps, doesn’t get distracted and doesn’t complain if you ask it to re-read the same file for the tenth time. But can it really replace the clinical eye of someone who has seen more bugs than sunsets? Spoiler: no, but it can be a valuable ally for uncovering vulnerabilities, insecure configurations and chilling practices.

Advantages:

• Fast analysis of large codebases
• Identification of risky patterns (even those you thought you had well hidden)
• Practical and often… ruthless suggestions

Limitations:

• Doesn’t understand corporate context (yet!)
• Can report false positives (or ignore the bug that will cost you sleep)
• Does not replace human review, but makes it more effective

How does an AI-driven audit work? 🛠️

The idea is simple: provide the AI with a well-structured prompt, feed it the code and wait for it to return a list of issues (and some unsolicited advice). The secret? Write a clear, specific prompt with no room for creative interpretations.

⚡️ This type of prompt produces the best results when used with agents specialized in code analysis, such as GitHub Copilot, ChatGPT with code review plugins or similar tools.

Here is an example of a prompt you can use for a security code review:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

Analyze the code and perform a code review focused on security.

Identify:

- vulnerabilities
- insecure configurations
- unsafe programming practices or patterns
- calls to deprecated or dangerous functions
- hardcoded credentials or sensitive information
- unhandled errors or exceptions

For each issue identified report the code section involved and provide:

- a risk assessment (High, Medium, Low)
- a clear description
- a practical mitigation suggestion

Perform security analysis only, ignore generic refactoring or performance optimizations, do not add further considerations.

Create an `AUDIT-{YYYYMMDD}.md` file in the project root.

Example of audit result:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# Security Audit Report

## Vulnerabilità Identificate

### 1. Permessi File Non Sicuri

**Severità: ALTA**

**Localizzazione**:

- pkg/model/operations.go:

```go
err := os.Mkdir(newDirPath, os.ModePerm)  // 0777
err := os.WriteFile(newFilePath, []byte{}, os.ModePerm)  // 0777
```

**Descrizione**: L'uso di `os.ModePerm` (0777) per la creazione di file e directory concede permessi completi a tutti gli utenti, esponendo potenzialmente dati sensibili.

**Mitigazione**:

- Utilizzare permessi più restrittivi come 0750 per directory e 0640 per file
- Implementare una funzione che determini i permessi appropriati basandosi sul contesto e l'utente

### 2. Command Injection Vulnerability

**Severità: ALTA**

**Localizzazione**:

- pkg/model/model.go:

```go
cmd := exec.Command("code", path)
cmd := exec.Command("open", path)
cmd := exec.Command("xdg-open", path)
```

**Descrizione**: L'esecuzione di comandi con input non sanitizzato può portare a command injection se il path contiene caratteri speciali o sequenze maligne.

**Mitigazione**:

- Validare e sanitizzare i path prima dell'esecuzione
- Utilizzare filepath.Clean() per normalizzare i path
- Implementare una whitelist di caratteri permessi

Best practices for AI audits and security 🦾

• Don’t trust blindly: the AI can be brilliant, but also very creative…
• Always validate results: every report must be checked by a human (preferably caffeinated)
• Integrate the AI into the process: use it as a first filter, then pass the ball to the security team
• Document everything: save reports, annotate decisions and update documentation. One day you’ll thank yourself.

Limitations and risks not to underestimate ⚠️

• The AI doesn’t know internal policies or “historical” exceptions in your project
• Could suggest solutions incompatible with your stack
• Does not replace team training: security is (still) a human responsibility

Conclusion 🎯

Generative AI is like a hyperactive colleague: it helps you find problems you didn’t know you had, but occasionally needs to be reined in. Use it to speed up security audits, but never delegate the final judgment. And remember: the best defense is still always a healthy dose of skepticism (and a few more tests).