CAREER: Towards Automated Vulnerability Management: Vulnerability Discovery, Localization, and Continuous Monitoring

Open-source software security vulnerabilities lead to severe impacts, e.g., stolen personal data, financial losses, and disrupted services. Due to the significant growth of vulnerabilities in recent years, it has become increasingly challenging for developers to efficiently manage security vulnerabilities, leading to supply-chain delays and prolonged security risks. While artificial intelligence tools are increasingly adopted in software development, it remains unclear whether they can reliably assist vulnerability management. This project builds tools that leverage AI to assist vulnerability management in open-source software and continuously monitors the security behaviors of AI agents in software development. The project's novelties are the combination of AI with program analysis on vulnerability localization, a new recommender system for prioritizing and discovering vulnerabilities, and novel testing methodologies for auditing the security behaviors of AI agents. The project's broader significance and importance are the strengthening of open-source software supply chain which supports modern software infrastructure, the training of next generation security researchers and software developers, including summer research camps in New Jersey, and the public release of benchmarks and tools that improve security research. The project's objectives are divided into three research thrusts: (1) using program analysis and graph neural networks to enhance patch localization and vulnerable code localization; (2) constructing a novel benchmark and recommender system for vulnerability discovery and prioritization based on a major bug bounty platform; (3) monitoring the security behaviors of AI agents for code review and generation by detecting security failures and inconsistency with user expectation. The project seamlessly integrates various methodologies and disciplines, including program analysis, large language models, natural language processing, software testing, and AI agents. Key deliverables include prototype tools, benchmarks, and monitoring workflows, which are easily adoptable through platforms such as GitHub. This research fosters a comprehensive approach for vulnerability management, contributing to a more secure and trustworthy software ecosystem. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.