Endor Labs has developed a static application security testing (SAST) tool that leverages agentic artificial intelligence (AI) to more accurately identify vulnerabilities and other issues in code created in more than 40 programming languages.

Amod Gupta, vice president of product and design for Endor Labs, said the AI SAST tool the company develops combines a multi-modal static analysis engine, multiple AI agents and large language models (LLMs) to create the equivalent of a security engineer that analyzes code as it is developed.

The AI agents were built using a proprietary code application programming interface (API) that builds a model of how the code works in a way that provides additional context about the organization, added Gupta.

That approach enables the AI SAST tool to filter false positives by analyzing syntax, dataflow, and intent to reduce the number of false positives that SAST tools have historically generated by 92% on average, the company claims.

SAST AI will also review code for architectural and business logic flaws, such as broken access control and insecure design, and classify findings against the OWASP Top 10 security vulnerabilities framework. The AI agents will then surface recommendations to fix code based on the context they have been able to establish.

Finally, DevSecOps teams can also use natural-language prompts to teach SAST AI about specific practices and policies.

The SAST AI tool is arriving at a time when developers are relying on AI coding tools to generate more code than ever. That challenge is that AI coding tools typically invoke a general-purpose LLM that was trained using examples of code pulled from across the web that were often deeply flawed. The end result is that many of these tools are generating vulnerabilities in code that, on average, require 15 to 30 minutes each to triage.

Unfortunately, many application developers lack the cybersecurity expertise required to identify many of the vulnerabilities being generated. It’s then left to DevSecOps engineers to discover and remediate the rest before code is added to a production environment. Despite their best efforts, however, there are a lot more application developers than there are DevSecOps engineers, so more vulnerabilities are inevitably going to find their way into production environments.

The only way to break that cycle is to rely on AI to discover and help remediate the vulnerabilities being generated by AI coding tools, said Gupta. The issue is that organizations can not rely on the same LLM that was used to create code to also analyze that code for vulnerabilities, he added.

It’s probable that application security in the age of AI will get worse before it eventually gets better. Existing tools for analyzing code are often ignored by developers simply because they generate too many false positive alerts. As AI is incorporated into SAST tools, however, the overall level of noise generated by these tools should decline. In the meantime, DevOps teams should exercise more care. After all, if more of the code being created by AI tools winds up creating more security issues, the whole point of being able to build software faster becomes self-defeating.