AppGPT: Generating functional cybersecurity tools with user interfaces from natural language prompts using ChatGPT, GitHub, and Streamlit

There was a time when I took pride in what I could do in cybersecurity without coding but Streamlit changed this for me because it finally made building tools with user interfaces within my reach. Running scripts in a command-line certainly has its place but being able to turn them into web apps can make them more accessible — particularly for non-coders.

During my tenure leading Cybersecurity R&D at Dataminr, I leveraged Streamlit to build a custom interface for Shodan called Sensei that allowed users to compare and aggregate the results of several asset identification methods simultaneously. This project was quite fun and quick by app development standards as it took a hack coder like me one day but I couldn’t help but wonder what it would be like if this process was even quicker and more accessible. What if you needed a custom tool for research or real-time data analysis and could have it ready to use within a minute? A day’s work just doesn’t seem nearly fast enough after over 5 years in a real-time event detection company like Dataminr where every second counts.

Indeed, this problem has fascinated me for a while and drove me to create a chatbot 4 years ago leveraging Dialogflow and Slack to provide our analysts with on-demand access to key internal and external information. This tool — called Casper — was basic in capability and could return information about things but had no real generative skills and certainly wasn’t able to code apps. Casper’s biggest liability was the same as Sensei’s — my own limited time and skill.

Around when I started using Streamlit a few years ago, I also began experimenting with a tool that seemed like it could help solve this problem — OpenAI’s GPT-3. It proved promising when it came to understanding and translating code but the interface just wasn’t ideal for a true on-demand solution that interprets natural language requests conversationally to code apps. This, of course, is where ChatGPT has proven to be quite useful. A combination of ChatGPT, GitHub, and Streamlit Cloud can be used to generate functional apps with user interfaces from natural language prompts within seconds. This is currently achievable only when the desired app is extremely simple in scope but with further experimentation and eventual improvements of the GPT model itself, it is clear that we are on the cusp of having on-demand AI-generated custom software. So how can we experiment with this now?

1. Create accounts for ChatGPT, GitHub, and Streamlit Cloud (all free!)
2. Click “New app” once you’ve logged into Streamlit Cloud and select “From sample app template” for the easiest path to get started
3. In ChatGPT, write a prompt describing the functionality and design of the app you want to build, starting with something along the lines of “how can I create a Streamlit app that…”
4. Submit the prompt to ChatGPT
5. ChatGPT typically responds with its interpretation of what you are asking for followed by a detailed step-by-step explanation with snippets, thorough code comments, and the complete code of the app
6. Copy the full app’s code into a .py file (streamlit_app.py in example below) and add it to your Streamlit app’s GitHub repository, add dependencies to requirements.txt, and then commit
7. Navigate to your app in Streamlit Cloud and use it!
8. Iterate to fix and improve

Experiments:

While testing out this technique, I conducted a series of experiments starting with very basic ones like:

• “How can I write a Streamlit app that takes text as input, highlights IOCs, and then adds them to a dataframe with their type?” (See above for screenshot of result)

Other than occasional issues with variable names that were easy to debug, these kind of basic tools with a single input and output worked quite well even when using the code provided by ChatGPT’s first attempt.

Eventually, I built myself up to trying something a bit more complex using a threaded dialog with ChatGPT iterating over an idea step-by-step. The result of this is CISA Known Exploited Vulnerabilities Explorer, a tool that takes a CISA-hosted .csv as input, displays critical top-line metrics from it, and provides tools to analyze the data using a variety of visualizations. Overall, this took no more than an hour to put together which is impressive given my low skill level and it being actually useful as a tool for understanding high-risk vulnerabilities. I had to adjust and troubleshoot a bit but the vast majority of the code (~95%) is taken directly from ChatGPT unedited and I’m exploring ways this could get even higher. Overall, I view this as a very successful proof-of-concept that has me excited to see both what I can do with it in the near-term and what the whole world will be able to do once a more advanced version of this capability becomes mainstream.

Key Takeaways:

• While this technique can be useful for anyone, a working knowledge of Streamlit and Python will aid in debugging if you are trying something ambitious — some basic apps with utilitarian designs can be generated with a single prompt but most will require either a bit of intervention or some back and forth with ChatGPT to get right
• Using ChatGPT to generate Streamlit apps is an incredible learning tool. It can help you figure out where to start when trying to code something, get you out of a jam, give you a sense of what libraries and techniques to use for particular tasks and how to implement them, introduces you to new Streamlit functionality that you may have not thought to use on your own, produce code comments that are generally higher quality than what I would produce…
• This is all 100% Free! ChatGPT, GitHub, and Streamlit Cloud can all be used free of charge.
• On-demand custom application development generated through natural language conversations with an AI-powered chatbot is becoming viable and will be common by the end of the decade!

Next Steps:

• I recently resigned from my role at Dataminr to take a break and explore new opportunities which gives me the free time and mental space to explore this concept further
• I hope to use this approach to build upon CISA KEV Explorer and create a toolkit where it becomes just one of a suite of tools focused on tracking and analyzing critical vulnerabilities by incorporating data on vulnerability disclosures, exploit PoCs, bug bounties, CVE trends etc.
• I plan to investigate how this workflow could be fully automated using ChatGPT and Github APIs such that the code provided in the chat is extracted, added to a repo, and pushed with a single user action — idea to app with one click!
• I would love to hear from anyone else who has experimented with similar techniques or has feedback on this post as I’m hoping to continue to share more of what I’m working on going forward