As the importance of software security escalates, identifying and addressing source code vulnerabilities becomes essential to maintaining robust and trustworthy systems. Static Application Security Testing (SAST) tools play a vital role in detecting potential weaknesses, yet their high false-positive rates often burden developers with time-consuming manual verification–risking both inefficiencies and unintended functional changes during remediation. This research introduces LogiSec of Thoughts, a novel, prompt-driven reasoning framework designed to improve the triage of vulnerabilities identified by SAST tools. Rooted in the classical Reductio ad Absurdum method, LogiSec of Thoughts guides a Large Language Model (LLM) through a structured four-step reasoning process to evaluate the plausibility of each vulnerability. By attempting to refute the existence of the vulnerability and reasoning through contradictions, the model is prompted to critically assess whether the issue is logically and contextually sound. This methodology operates independently of external expert systems and is adaptable for integration into secure development pipelines. By reducing false positives and improving the prioritization of actionable security issues, LogiSec of Thoughts offers a promising step toward intelligent, automated code security assessment.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Reasoning over Vulnerabilities via LogiSec of Thoughts: A Reductio Ad Absurdum-Based LLM Framework

  • Claudio A. S. Lelis,
  • Cesar A. C. Marcondes,
  • Kevin Fealey

摘要

As the importance of software security escalates, identifying and addressing source code vulnerabilities becomes essential to maintaining robust and trustworthy systems. Static Application Security Testing (SAST) tools play a vital role in detecting potential weaknesses, yet their high false-positive rates often burden developers with time-consuming manual verification–risking both inefficiencies and unintended functional changes during remediation. This research introduces LogiSec of Thoughts, a novel, prompt-driven reasoning framework designed to improve the triage of vulnerabilities identified by SAST tools. Rooted in the classical Reductio ad Absurdum method, LogiSec of Thoughts guides a Large Language Model (LLM) through a structured four-step reasoning process to evaluate the plausibility of each vulnerability. By attempting to refute the existence of the vulnerability and reasoning through contradictions, the model is prompted to critically assess whether the issue is logically and contextually sound. This methodology operates independently of external expert systems and is adaptable for integration into secure development pipelines. By reducing false positives and improving the prioritization of actionable security issues, LogiSec of Thoughts offers a promising step toward intelligent, automated code security assessment.