OpenAI ChatGPT markets itself as a conversational tool that lets users interact with the interface in a very convenient way.

It has become pretty popular and does a lot of stuff many other tools wish they can do. Of course, people like catchy slogans, but the model seems to go beyond all expectations.

There are so many possibilities, but the potential gains for cybersecurity and software development look significant. You can already paste entire blocks of code and ask the model to fix bugs and catch vulnerabilities.

You get explanations and recommendations like the ones you would receive on major platforms such as Stackoverflow.

See that example: https://twitter.com/sagitz_/status/1598615931135172609 or this one: https://twitter.com/amasad/status/1598042665375105024/photo/1

Pen-testers and security researchers can use it to generate payloads. Likewise, there are existing examples of complete malware analysis and disassembly.

Remember when the great Kasparov was crushed by Deep Blue, the IBM supercomputer, in 1997?

From what I've seen so far, you get very accurate and contextualized answers, and way faster than with humans.

For example, if you enter the following "injectable" code without any other hint:

<?php

if (PHP_SAPI === 'cli') {
    parse_str(implode('&', array_slice($argv, 1)), $_GET);
}

$file_db = new PDO('sqlite:../database/database.sqlite');

if (NULL == $_GET['id']) $_GET['id'] = 1;

$sql = 'SELECT * FROM employees WHERE employeeId = ' . $_GET['id'];

foreach ($file_db->query($sql) as $row) {
    $employee = $row['LastName'] . " - " . $row['Email'] . "\n";

    echo $employee;
}

Source: vulnerable php code example

ChatGPT answers:

This code is vulnerable to SQL injection attacks because it directly incorporates user-supplied input from the GET parameter "id" into the SQL query without proper sanitation or validation. This allows an attacker to inject malicious code into the query and potentially access or manipulate sensitive data from the database.

To prevent this vulnerability, the code should use prepared statements and parameterized queries to separate the data from the query. This will help protect against potential vulnerabilities by using placeholders for the data values, and will ensure that only safe data is included in the query.

For example:

$stmt = $file_db->prepare("SELECT * FROM employees WHERE employeeId = ?"); 
$stmt->bind_param("i", $_GET['id']); $stmt->execute(); 
$result = $stmt->get_result();

while ($row = $result->fetch_assoc()) { 
    $employee = $row['LastName'] . " - " . $row['Email'] . "\n";
    echo $employee;
}

This updated code will prevent SQL injection attacks by using prepared statements and parameterized queries, and will help ensure the integrity and security of the database.

For skeptical readers, it's indeed a very basic example, and ChatGPT is not perfect, yet. See that post by The Verge: https://www.theverge.com/23488017/openai-chatbot-chatgpt-ai-examples-web-demo. There are some limitations:

There are plenty of examples of ChatGPT confidently asserting obviously false information

You need to keep humans in the loop, which is great! ChatGPT seems ready for some pair programming ^^.

I encourage developers and security professionals to try it, at least.