"Generative AI Helps Spot Malicious Open-Source Code"

One company is helping developers research open-source software packages to discover code components that are secure from attacks. Endor Labs, a startup that helps governments and businesses secure open-source software, has released its DroidGPT tool in private beta, with plans to make it fully available in the next two months. Developers can log into the company's platform and use a conversational style to ask different questions, such as which packages have the fewest vulnerabilities. DroidGPT then generates results based on Endor Labs' massive and frequently updated database of open-source software. The results overlap with the company's data on the quality, popularity, trustworthiness, and security of each package. Developers in both the public and private sectors are increasingly reliant on open-source software, which has become the foundation of numerous technologies and applications. The Biden administration's 2021 executive order called for open-source software's "integrity and provenance" to be checked, as well as a Software Bill of Materials (SBOMs) to keep a formal record of the software supply chain used in building applications. Varun Badhwar, CEO of Endor Labs, stated that about 80 percent of the code that makes up applications is open-source, making it easier for developers but raising concerns about where it originates from, especially since there is no support structure in place to identify faulty code. This article continues to discuss Endor Labs' DroidGPT tool aimed at helping developers spot malicious open-source code. 

GCN reports "Generative AI Helps Spot Malicious Open-Source Code"