Yael Citro
PRESS RELEASE
OX Security Launches OX-GPT, AppSec’s First ChatGPT Integration
Customized fix recommendations and cut-and-paste code fixes dramatically reduce remediation times
Tel Aviv, Israel, May 18, 2023 — OX Security, a leader in software supply chain security, today announced the launch of OX-GPT, the first ChatGPT integration to improve software supply chain security. With the new integration, OX now presents developers with customized fix recommendations and cut-and-paste code fixes, providing for quick remediation of critical security issues across the software supply chain.
ChatGPT has dramatically changed the cybersecurity landscape. Over the past few months, hackers have already begun using ChatGPT, and other AI models to find and exploit vulnerabilities, develop malware, and craft phishing emails.
Yet AI also holds tremendous potential to protect against cyber attacks, and OX Security is the first to use ChatGPT to improve software supply chain security.
Until now, security teams often needed many tools to secure the software supply chain, resulting in too many alerts and fragmented workflows
“Flooded by alerts, developers often become frustrated and overwhelmed. After wasting enough time chasing false positives, they lose trust in these tools and no longer see the value in the activities that security asks them to perform,” said OX Security CEO and co-founder Neatsun Ziv, who served as Check Point’s VP of Cyber Security prior to founding OX. “We want to bring that trust back.”
The first-of-its-kind ChatGPT integration provides developers with contexts for the specific issues they are facing, including how the code in question could be exploited by hackers, the possible impact of such an attack, and potential damage to the organization. It then provides them with control over security and enables faster and easier remediation with cut-and-paste code crafted to secure and fix the specific issue, along with an explanation of why the fix works.
Here are some examples of how developers now receive notifications with OX-GPT:
Code Security
Issue: XML External Entity (XXE) injection via misconfiguration of DocumentBuilderFactory
OX-GPT response:
-
-
- Description of the security issue:
-
The code is vulnerable to XML External Entity (XXE) injection via misconfiguration of DocumentBuilderFactory. XXE is a type of attack where an attacker can exploit an XML parser to access sensitive data on the server or execute arbitrary code. In this case, the attacker can inject malicious XML entities into the XML document being parsed, which can lead to the disclosure of sensitive data or the execution of arbitrary code.
For example, consider the following XML document:
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM “file:///etc/passwd”>
]>
<foo>&xxe;</foo>
If this document is parsed by the vulnerable code, it will read the contents of the /etc/passwd file and include it in the output.
-
-
- Potential harm, damage, and risks:
-
The potential harm of XXE injection can be severe. An attacker can use this vulnerability to read sensitive data, such as passwords, private keys, or other confidential information. They can also execute arbitrary code on the server, which can lead to a complete compromise of the system. This can result in data theft, data loss, or even a complete system takeover.
-
-
- Solution for the security issue:
-
The solution to this security issue is to disable external entity processing in the XML parser. This can be done by setting the “FEATURE_SECURE_PROCESSING” feature to true on the DocumentBuilderFactory object. This will prevent the parser from resolving external entities, which will mitigate the risk of XXE injection.
-
-
- Secure code to replace the vulnerable code:
-
The secure code to replace the vulnerable code is as follows:
//Parsing XML:
DocumentBuilderFactory factory=DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DocumentBuilder builder=factory.newDocumentBuilder();
This code disables external entity processing in the XML parser by setting the “FEATURE_SECURE_PROCESSING” feature to true. This will prevent XXE injection and make the code more secure.
IaC
Issue: Azure Virtual Machines SSH Internet access is not restricted
OX-GPT response:
1. Description of the security issue:
The provided IaC creates a network security group (NSG) in Azure that allows inbound SSH and RDP traffic from any source IP address. This means that anyone on the internet can attempt to connect to the virtual machines associated with this NSG using SSH or RDP protocols.
Example:
An attacker can use a tool like Nmap to scan the internet for open SSH ports and identify the IP addresses associated with the vulnerable NSG. Once identified, the attacker can attempt to brute-force the SSH login credentials or exploit any known SSH vulnerabilities to gain unauthorized access to the virtual machines.
2. Potential harm, damage, and risks:
Allowing unrestricted SSH and RDP access to virtual machines can lead to several security risks and potential harm, including:
-
-
- Unauthorized access to sensitive data and resources
- Installation of malware or ransomware on the virtual machines
- Disruption of business operations
- Theft or destruction of data
- Compliance violations and legal penalties
-
3. Solution for the security issue:
To mitigate this security issue, the NSG should be updated to restrict inbound SSH and RDP traffic to only trusted sources. This can be achieved by specifying the source IP addresses or ranges that are allowed to connect to the virtual machines.
4. Secure code to replace the vulnerable code:
The following code restricts inbound SSH and RDP traffic to a specific IP address range (e.g., the corporate network) and denies all other traffic:
“`
resource “azurerm_network_security_group” “good_sg” {
name = “terragoat-${var.environment}”
location = var.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
name = “AllowSSH”
priority = 200
direction = “Inbound”
access = “Allow”
protocol = “Tcp”
source_address_prefix = “10.0.0.0/16”
source_port_range = “*”
destination_address_prefix = “*”
destination_port_range = “22”
}
security_rule {
name = “AllowRDP”
priority = 300
direction = “Inbound”
access = “Allow”
protocol = “Tcp”
source_address_prefix = “10.0.0.0/16”
source_port_range = “*”
destination_address_prefix = “*”
destination_port_range = “3389”
}
security_rule {
name = “DenyAll”
priority = 400
direction = “Inbound”
access = “Deny”
protocol = “*”
source_address_prefix = “*”
source_port_range = “*”
destination_address_prefix = “*”
destination_port_range = “*”
}
tags = {
git_commit = “5c6b5d60a8aa63a5d37e60f15185d13a967f0542”
git_file = “terraform/azure/networking.tf”
git_last_modified_at = “2021-05-02 10:06:10”
git_last_modified_by = “nimrodkor@users.noreply.github.com”
git_modifiers = “nimrodkor”
git_org = “bridgecrewio”
git_repo = “terragoat”
yor_trace = “1a591ba4-d969-4572-9704-87b5c55c0ba3”
}
}
“`
The updated code restricts inbound SSH and RDP traffic to the IP address range 10.0.0.0/16, which can be replaced with the appropriate IP address range for the trusted sources. It also includes a security rule that denies all other inbound traffic to the virtual machines.
“Developers’ primary focus may not be security,” said Shai Sivan, CISO of Kaltura (NASDAQ: KLTR), “but if they could trust that spending a short amount of time to remediate risks pre-production would save them from having to go into crisis mode later, they would take the time to fix those problems.”
“By giving developers control and providing them with the information and tools they need to quickly assess and fix the issue, OX-GPT will enable organizations to stay ahead of attackers,” Ziv continued.
For more information about OX-GPT, send an email to contact@ox.security, or request a demo via OX Security’s website: www.ox.security.
