Related papers: Secret Breach Prevention in Software Issue Reports

Secret Breach Prevention in Software Issue Reports

URL: http://arxiv.org/abs/2410.23657v1
Date: Thu, 31 Oct 2024 06:14:17 GMT
Title: Secret Breach Prevention in Software Issue Reports
Authors: Zahin Wahab, Sadif Ahmed, Md Nafiu Rahman, Rifat Shahriyar, Gias Uddin,
Abstract summary: This paper presents a novel technique for secret breach detection in software issue reports. We highlight the challenges posed by noise, such as log files, URLs, commit IDs, stack traces, and dummy passwords. We propose an approach combining the strengths of state-of-the-artes with the contextual understanding of language models.
Score: 2.8747015994080285
License:
Abstract: In the digital age, the exposure of sensitive information poses a significant threat to security. Leveraging the ubiquitous nature of code-sharing platforms like GitHub and BitBucket, developers often accidentally disclose credentials and API keys, granting unauthorized access to critical systems. Despite the availability of tools for detecting such breaches in source code, detecting secret breaches in software issue reports remains largely unexplored. This paper presents a novel technique for secret breach detection in software issue reports using a combination of language models and state-of-the-art regular expressions. We highlight the challenges posed by noise, such as log files, URLs, commit IDs, stack traces, and dummy passwords, which complicate the detection process. By employing relevant pre-processing techniques and leveraging the capabilities of advanced language models, we aim to mitigate potential breaches effectively. Drawing insights from existing research on secret detection tools and methodologies, we propose an approach combining the strengths of state-of-the-art regexes with the contextual understanding of language models. Our method aims to reduce false positives and improve the accuracy of secret breach detection in software issue reports. We have curated a benchmark dataset of 25000 instances with only 437 true positives. Although the data is highly skewed, our model performs well with a 0.6347 F1-score, whereas state-of-the-art regular expression hardly manages to get a 0.0341 F1-Score with a poor precision score. We have also developed a secret breach mitigator tool for GitHub, which will warn the user if there is any secret in the posted issue report. By addressing this critical gap in contemporary research, our work aims at enhancing the overall security posture of software development practices.

Related papers

Do Neutral Prompts Produce Insecure Code? FormAI-v2 Dataset: Labelling Vulnerabilities in Code Generated by Large Language Models [3.4887856546295333]
This study provides a comparative analysis of state-of-the-art large language models (LLMs) We analyze how likely they generate vulnerabilities when writing simple C programs using a neutral zero-shot prompt.
arXiv Detail & Related papers (2024-04-29T01:24:14Z)
Towards Efficient Verification of Constant-Time Cryptographic Implementations [5.433710892250037]
Constant-time programming discipline is an effective software-based countermeasure against timing side-channel attacks. We put forward practical verification approaches based on a novel synergy of taint analysis and safety verification of self-composed programs. Our approach is implemented as a cross-platform and fully automated tool CT-Prover.
arXiv Detail & Related papers (2024-02-21T03:39:14Z)
JAMDEC: Unsupervised Authorship Obfuscation using Constrained Decoding over Small Language Models [53.83273575102087]
We propose an unsupervised inference-time approach to authorship obfuscation. We introduce JAMDEC, a user-controlled, inference-time algorithm for authorship obfuscation. Our approach builds on small language models such as GPT2-XL in order to help avoid disclosing the original content to proprietary LLM's APIs.
arXiv Detail & Related papers (2024-02-13T19:54:29Z)
Zero-Shot Detection of Machine-Generated Codes [83.0342513054389]
This work proposes a training-free approach for the detection of LLMs-generated codes. We find that existing training-based or zero-shot text detectors are ineffective in detecting code. Our method exhibits robustness against revision attacks and generalizes well to Java codes.
arXiv Detail & Related papers (2023-10-08T10:08:21Z)
The FormAI Dataset: Generative AI in Software Security Through the Lens of Formal Verification [3.2925005312612323]
This paper presents the FormAI dataset, a large collection of 112, 000 AI-generated C programs with vulnerability classification. Every program is labeled with the vulnerabilities found within the source code, indicating the type, line number, and vulnerable function name. We make the source code available for the 112, 000 programs, accompanied by a separate file containing the vulnerabilities detected in each program.
arXiv Detail & Related papers (2023-07-05T10:39:58Z)
A Comparative Study of Software Secrets Reporting by Secret Detection Tools [5.9347272469695245]
According to GitGuardian's monitoring of public GitHub repositories, secrets continued accelerating in 2022 by 67% compared to 2021. We present an evaluation of five open-source and four proprietary tools against a benchmark dataset. The top three tools based on precision are: GitHub Secret Scanner (75%), Gitleaks (46%), and Commercial X (25%), and based on recall are: Gitleaks (88%), SpectralOps (67%) and TruffleHog (52%)
arXiv Detail & Related papers (2023-07-03T02:32:09Z)
Verifying the Robustness of Automatic Credibility Assessment [79.08422736721764]
Text classification methods have been widely investigated as a way to detect content of low credibility. In some cases insignificant changes in input text can mislead the models. We introduce BODEGA: a benchmark for testing both victim models and attack methods on misinformation detection tasks.
arXiv Detail & Related papers (2023-03-14T16:11:47Z)
CodeLMSec Benchmark: Systematically Evaluating and Finding Security Vulnerabilities in Black-Box Code Language Models [58.27254444280376]
Large language models (LLMs) for automatic code generation have achieved breakthroughs in several programming tasks. Training data for these models is usually collected from the Internet (e.g., from open-source repositories) and is likely to contain faults and security vulnerabilities. This unsanitized training data can cause the language models to learn these vulnerabilities and propagate them during the code generation procedure.
arXiv Detail & Related papers (2023-02-08T11:54:07Z)
VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code. Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph. VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z)
Software Vulnerability Detection via Deep Learning over Disaggregated Code Graph Representation [57.92972327649165]
This work explores a deep learning approach to automatically learn the insecure patterns from code corpora. Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program.
arXiv Detail & Related papers (2021-09-07T21:24:36Z)
Security Vulnerability Detection Using Deep Learning Natural Language Processing [1.4591078795663772]
We model software vulnerability detection as a natural language processing (NLP) problem with source code treated as texts. For training and testing, we have built a dataset of over 100,000 files in $C$ programming language with 123 types of vulnerabilities. Experiments generate the best performance of over 93% accuracy in detecting security vulnerabilities.
arXiv Detail & Related papers (2021-05-06T01:28:21Z)

This list is automatically generated from the titles and abstracts of the papers in this site.