Codex Security: OpenAI's AI Revolutionizes Vulnerability Detection
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
Codex Security: A Major Advancement in Application Security
OpenAI introduces Codex Security, an application security agent that stands out for its ability to build a deep context around projects. This approach allows for the identification of complex vulnerabilities that other security tools fail to detect. By delivering reliable results and effective fixes, Codex Security significantly enhances system security while reducing the noise caused by minor bugs.
The assessment of security risks heavily relies on context, a dimension often overlooked by AI-based security tools. These tools tend to produce low-impact results and false positives, forcing security teams to spend valuable time on triage. Meanwhile, the acceleration of software development makes security reviews increasingly crucial. Codex Security addresses both of these issues by combining the advanced reasoning of its models with automated validation. This enables the provision of reliable results and actionable fixes, allowing teams to focus on significant vulnerabilities and deliver secure code more quickly.
An Evolution from Private Beta
Initially known as Aardvark, Codex Security was launched last year in a private beta with a limited group of clients. During the early internal deployments, the tool highlighted a genuine SSRF vulnerability, a critical multi-tenant authentication flaw, as well as numerous other issues resolved by the security team within hours. Initial external testing improved the way users provided relevant product context, facilitating code integration and security. The quality of results significantly improved during the beta: repeated analyses on the same repositories showed increasing accuracy, reducing noise by 84% since the initial deployment.
Results with overstated severity were reduced by over 90%, and false positives dropped by more than 50% across all repositories. These improvements allow Codex Security to align reported severity more accurately with actual risk, thereby reducing the unnecessary burden of triage for security teams. We anticipate a continuous improvement in the signal-to-noise ratio.
Starting today, Codex Security is available in research preview for ChatGPT Pro, Enterprise, Business, and Edu clients via the Codex web, with free usage for the next month.
The Mechanisms of Codex Security
Codex Security is built on OpenAI's advanced models and the Codex agent. It reduces noise and accelerates remediation by anchoring the discovery, validation, and patching of vulnerabilities in a system-specific context.
-
Developing a system context and creating an editable threat model: After configuration, Codex Security analyzes the repository to understand the structure relevant to system security. It generates a project-specific threat model, capturing system actions, trusts, and exposure areas. Threat models can be modified to stay aligned with the team.
-
Prioritizing and validating issues: Using the threat model as context, Codex Security searches for vulnerabilities and categorizes results based on their expected real impact. When possible, it tests results in isolated validation environments to distinguish signal from noise. Users can review this analysis in the validated results. Configured with a project-appropriate environment, Codex Security can validate potential issues directly in the context of the running system, thereby reducing false positives and enabling the creation of functional proof of concepts.
-
Fixing issues with complete system context: Codex Security offers fixes aligned with the system's intent and surrounding behavior. This allows for fixes that enhance security while minimizing regressions, making them safer to review and integrate. Users can filter results to focus on the most critical aspects for their team.
Codex Security also learns from user feedback to improve the quality of its results. By adjusting the severity of a result, it refines the threat model and enhances accuracy in subsequent runs, adapting to the user's architecture and risk posture.
Designed to operate at scale, Codex Security highlights the most reliable results with easy-to-accept fixes. Over the past 30 days, it has analyzed more than 1.2 million commits in external repositories from the beta cohort, identifying 792 critical results and 10,561 high-severity results. Critical issues appeared in less than 0.1% of analyzed commits, demonstrating the system's ability to identify significant security problems while minimizing noise for reviewers.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.