Welcome to the workshop Harnessing AI: Next Level Strategies for Advanced Security! Below you will find the exercises to complete as a part of this workshop. There will be a set amount of time to complete each one. We will provide a walkthrough of the solution after each exercise. If you get stuck there are hints along the way. Additionaly you can access GIF-based solutions for each exercise.
If you are interested in participating in the limited public beta for secret scanning please join the waitlist and the GitHub staff will be in touch. You can find the terms and conditions here.
This Universe, we are excited to be launching the AI-generated custom patterns feature as a limited public beta. In this exercise, we will generate a custom pattern using this new feature.
Prerequiste - secret scanning must be enabled for this exercise. This feature should already be enabled by default for this repository. If not, please follow the instructions here to enable secret scanning.
-
Navigate to the
Settingstab of the repository, click on theCode security and analysissection, and clickEnableunder secret scanning.
Scenario
You are a part of the security team, and it has been brought to your attention that the MinIO password mona_value_abc124 for the object store has been leaked in the code!
You want to write a custom pattern to detect this.
-
Navigate to
Settingstab of the repository, click onCode security and analysissection, and underCustom Patternsclick onNew pattern -
In the top right hand corner, click on
Generate with AISolution
-
Fill in the options
I want a regular expression thatandExamples of what I am looking forHint
You want to find a string that starts with `mona_value_`Solution
-
Assume that we know that the custom secret pattern always ends with an alphanumeric character of length 6. Can you make the regex pattern more precise? For the most accurate results, it is imperative when dealing with AI that we provide as much detail as possible with as much context as possible.
Hint
Provide the AI with more details about the pattern. Consider factors such as length. What about character composition? Is it entirely numerical?Solution
At Universe 2023 we will also be shipping the generic secret detection using AI feature as a limited public beta. Enabling this feature will use an AI model to detect additional secrets beyond the secrets detected with regular expression.
-
Enable this feature by navigating to the
Settingstab of the repository, click on theCode security and analysissection, and tick the checkboxUse AI detection to find additional secretsunder secret scanning.Solution
-
Add Bob's credentials to the end of the
password.txtfile located at the root of the repository.username=bob@localhost password=verysecure1234
Solution
-
To view detected alerts, navigate to the
Securitytab, underSecret Scanning, click theOtheroptionSolution
Scenario
You have just joined a new team as a developer. To familiarize yourself with the codebase, you've been tasked with remediating some code scanning vulnerabilities in the repository.
You will be remediating an existing SQL Injection vulnerability in main.go on line 309.
There are two tasks to remediate this vulnerability:
- sanitize input in the javascript (Exercise 1)
- fix the SQL prepare statement in the go code (Exercise 2 and Exercise 3)
This Universe we will be launching the code scanning autofix feature as a limited public beta. This feature uses AI to generate fixes on pull requests that contain JavaScript CodeQL alerts. We will see this feature in action in this exercise. If you are interested in participating in this limited public beta, please reach out to your Account Manager if you are an existing customer. Otherwise, reach out to the GitHub Sales Team for assistance. You can find the terms and conditions here.
Input sanitization is a fundamental security practice to prevent SQL injection attacks. Let's add a sanitize method in the javascript to help in mitigating against injection attack vectors.
You can solve this exercise using either the codespaces or the UI. Codespaces is preferable as this is what a developer would use under normal circumstances. However, if codespaces is not loading for you please use the UI.
-
Create a branch called
sql-injection-fixand push it to the remote repo.Hint
Run the command:$ git checkout -b sql-injection-fix $ git push -u origin sql-injection-fixSolution
-
Add the following sanitization function on line 233 of
frontend/components/Gallery.vuefunction sanitizeInput(input) { if (input == null) { return ""; } //escape all occurances of apostrophe input = input.replace("'", "''"); return input; }
-
Call the sanization function from the Update function by placing the following call on line 347 of
/frontend/components/Gallery.vueartItem.description = sanitizeInput(artItem.description) artItem.title = sanitizeInput(artItem.title)
-
Commit and push the code
Solution for steps 2-4
- Raise a pull request to the
mainbranch. Wait for the scans to complete and you should see a CodeQL javascript alert in your pull request. Oh no! There is a vulnerability in our vulnerability! Lucky we have autofix.
Autofix feature
The autofix feature suggests fixes for CodeQL alerts raised as a part of the pull request. At the moment, it only supports JavaScript. Our sanitize function only replaced the first occurance of the string. Autofix has suggested a fix to replace the string with a regular expression and uses the g flag to ensure all occurrences are replaced. You should be able to see an autofix suggestion as a part of the pull request.
-
Navigate to
Copilot Chaticon in your Visual Studio Code IDE (Codespace) -
Open the
main.gofile undergalleryfolder. Navigate to line 309 which represents an injection vulnerability and ask GitHub Copilot Chat to explain the vulnerabilitySolution
Our sanitization function is limited to the user interface (UI). If we expose the Update method through an API or another medium, we remain susceptible to vulnerabilities. Let's use Copilot to remediate the vulnerability.
-
In Codespaces, use the Sarif Viewer to navigate to the SQL Injection vulnerability located in
gallery/main.goon line 309. Note if the Sarif Viewer is not loading the correct SARIF you can use the one provided in theuniverse-utils/go.sarif -
Hover over the alert and select
Fix using Copilot -
Copilot will propose a fix. Review proposed fix and click
Accept -
Commit, push the fix, and merge in the PR to resolve the alert
Solution
Prompt Engineering involves formulating a prompt to optimize the model's ability to generate the most valuable prediction for the user.
A prompt commonly involves at least one of the following elements:
- Instruction - You can use natural language to provide instructions. However, Github Copilot Chat also offers pre-configured slash command choices as default templates to help steer the Language Model (LLM) more effectively toward your intended goal.
- Context - GitHub Copilot Chat lives in the context of an IDE such as Visual Studio Code (VS Code). This involves having relevant files open in each tab and highlighting the code snippet your interested in
- Examples - Provide examples of the desired output. We saw an example of this when generating regexes for secret scanning. Prompting falls into two broad categories:
- Zero shot prompting: this is when no examples are provided to the model.
- Few-shot prompting: this is when examples are provided to the model , it serves as conditioning for subsequent examples where we would like the model to generate a response.
- Output - Specify the desired output format. Some examples within Copilot instruction include:
/explain- will output text fileGenerate Docs- will create comments in the code/fix- will output code
Scenario
There is a custom codeql query written specifically for finding vue related xss vulnerabilities specific to this codebase. This query can be found in the queries folder. Use Copilot Chat to better understand this query.
Initially, we want to see what happens when we don’t provide any context to Copilot Chat.
- Close all tabs and open Copilot chat
- Type in the following into the chat
/explain vue-xss.ql
Was this the output you expected? A key factor contributing to occasional inaccuracies in LLM outputs is the absence of context. These models heavily depend on the information provided in the context. When the context is ambiguous or lacks detail, the model might infer assumptions that result in inaccurate responses.
Solution
Now let's add in some context. Recall that the context for GitHub Copilot is the IDE.
- Open the
vue-xss.qlquery in a tab and run the prompt from the previous exercise:/explain vue-xss.ql
Was the output different?
Solution
The more specific and concise you can be about your problem statement the more accurate the results that will be generated. For example, let’s say that we want to understand the 2 predicates and their regexes between line 42 and line 46.
- Try highlighting between these lines and ask copilot for an explanation.
Solution
Let's say you wanted to comment the CodeQL query so that it is easier to understand for new joiners of the repository.
- Highlight the predicate
resolveRefForArraySourceValuefrom line 60 to line 100 and use the optionGenerate Docs
Solution
Scenario
Threat modelling is often a manual and specialised task conducted by security teams. We can automate some of this process using Copilot.
In this demo we will be using the GitHub Copilot Chat feature from a security practitioner's perspective. We'll observe how leveraging an AI-assisted tool can begin to gain additional context regarding the application's threat boundaries.
-
Let's Ask GitHub Copilot Chat to explain to us the DB interactions in the
gallerymodule of the mona gallery applicationSolution
-
In the
storagemodule lets ask GitHub Copilot Chat to explain to us the threat landscape of theBlobController.javacodeSolution
