Friday, 24 May 2013

Should we use Bayesian or Neural Networks for SAST? yes, but not yet (we are not ready for it)

The super sharp OWASP Leader Johanna Curiel, while trying to get her head around the O2 Platform, asked me earlier today :
    in your research, have you try static code analysis using any form of artificial intelligence such as Bayesian or neural networks ?

    let know, while I was studying, I was researching this stuff. I just would like to hear from you if you had any experience with this
The short answer is NO, I have not really looked at Bayesien or Neural Networks for SAST (Static Analysis)

The longer answer is We Dont need it (yet), since there are many bigger limitations of the current SAST technology and tools, which we need to solve first before we look into that type of advanced analysis and techniques.

That said, I do believe that Bayesien or Neural Networks have a bigger role to play in Static Analysis of code (SAST) and in modelling how an application behaves (specially from the point of view of security).

But we are completely not ready for it, and we also don't have access to the computation power required.

I have written many blog posts on what I think needs to happen on the SAST world and what are the current limitations.

Here is a selection: