Integrating Artificial Open Generative Artificial Intelligence into Software Supply Chain Security

TL;DR

This paper explores the integration of open Large Language Models into software supply chain security, evaluating their potential to improve detection of code errors and deprecated code, while highlighting limitations and future opportunities.

Contribution

It introduces experimental analysis of LLMs for software security challenges, comparing their effectiveness to traditional static and dynamic scanners, and discusses their potential and limitations.

Findings

LLMs can identify source code errors and deprecated code.

Significant limitations include memory complexity and handling unfamiliar data.

Proactive LLM application with security databases can enhance SSC security.

Abstract

While new technologies emerge, human errors always looming. Software supply chain is increasingly complex and intertwined, the security of a service has become paramount to ensuring the integrity of products, safeguarding data privacy, and maintaining operational continuity. In this work, we conducted experiments on the promising open Large Language Models (LLMs) into two main software security challenges: source code language errors and deprecated code, with a focus on their potential to replace conventional static and dynamic security scanners that rely on predefined rules and patterns. Our findings suggest that while LLMs present some unexpected results, they also encounter significant limitations, particularly in memory complexity and the management of new and unfamiliar data patterns. Despite these challenges, the proactive application of LLMs, coupled with extensive security databases and continuous updates, holds the potential to fortify Software Supply Chain (SSC) processes against emerging threats.