OpenAI Unveils Codex Security to Fortify Software Against Cyber Threats

OpenAI has launched Codex Security, a new tool designed to assist developers in finding and rectifying software code vulnerabilities. Similar to competing products, Codex Security analyzes an application's code base to pinpoint weaknesses and propose solutions.

Developers grant the tool access to their code repositories. Codex Security then creates a secure, isolated copy for analysis, a process that can span several days. The output is a "threat model," a detailed natural language document outlining the program's functionality and potential vulnerabilities, including sensitive data upload interfaces prone to cyberattacks.

Users can customize the threat model to prioritize specific application components. Codex Security uses this model to guide vulnerability scans, testing identified flaws in a sandbox environment to assess exploitability. It filters false positives and ranks vulnerabilities by severity, saving logs of undetected flaws for further review.

For each identified exploit, Codex Security provides a remediation suggestion with the necessary code fix and a natural language explanation. Developers can review and implement these suggestions directly.

Originally an internal tool named Aardvark, Codex Security underwent a beta program that reportedly reduced false positives by over 50%. Early users detected more than 11,000 critical and high-severity vulnerabilities. OpenAI also used the tool to scan popular open-source projects, identifying 14 severe vulnerabilities for the CVE database.

Codex Security is now available as a research preview for ChatGPT Enterprise, Business, and Edu tiers. Open-source project maintainers can access the tool free of charge.