>>9883You can do fuzzing techniques, for some degree of automation in code review, but that's pretty much it. This is useful for finding errors that can be exploited for buffer overflow attacks and so on.
Neural network machine learning is at the base level statistical brute force. You would tell it to look at strings of program code to assign a statistical probability for security vulnerabilities to code fragments. Then you stack the algorithms to assign a statistical probability for security flaws to code sequences that are made up of code fragments. You continue stacking it again and again. You will eventually try to map out the entirety of all the possible states of computer hardware and that will take too long.
Neural networks are powerful tools because computers have achieved epic scales of circuit logic that allows brute force number crunching , but in this application it's a disadvantage because now you have to proof-read something of epic scale. You need to have concept forming intelligence for understanding code.
When you learn how to play a dexterity sport like for example throwing a ball in a very precise way, you have to repeat throwing the ball over and over so your brain can collect lots of data about the world and the body parts that are involved in throwing. The brain takes that data and spits out a skill, and in some ways that is similar to what happens in machine learning. However even though you know how to throw the ball you will not gain conceptual understanding of ball aero dynamics or ballistic trajectories.
The real effort to use automation to make code more secure is by making compilers more intelligent. The basic premise is to build a more advanced stack of programming tools that will not let you make insecure code in the first place. This is more in line with how we figured out regulations for buildings to prevent houses from collapsing. What is needed for this is forensic analysis of the actual hacker exploits that are being used. From that we can build general code building regulations into the compilers that prevent exploitable code, like regulation rules prevent unsound construction design.