Symbiotic Security emerged from stealth this week to launch a namesake platform that enables application developers to discover and remediate vulnerabilities and other errors in real-time as code is being written.
Fresh off raising $3 million in funding, Symbiotic Security CEO Jerome Robert said the company’s software-as-a-service (SaaS) platform is designed to plug into an integrated development environment (IDE). That approach enables application developers to scan for security issues they can quietly resolve on their own using recommendations surfaced by the platform, he added.
Initially focused on Terraform code used widely by application developers to programmatically provision infrastructure-as-code (IaC), the Symbiotic Security platform in time will be extended to add support for other programming languages, said Robert.
In effect, Symbiotic Security is eliminating any shame that application developers might feel when errors in their code are discovered by, for example, a cybersecurity team, said Robert. Rather than merely holding developers accountable for their code, the Symbiotic Security shifts responsibility left toward application developers in a way that actually empowers them to resolve issues, he added.
Organizations of all sizes have been investing more time and resources in implementing best DevSevOps practices with mixed success. A Techstrong Research survey finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. Only 54% said application developers regularly scan code for vulnerabilities during development. An even lower percentage (40%) conduct security testing.
On the plus side, a full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. At the same time, 64% of respondents are investing in a code scanning tool, with 24% describing those investments as high. The survey also finds investments in DevOps have already had either a high (34%) or medium (43%) impact on improving software security for more than three quarters (77%) of respondents.
The challenge is determining how to ensure best practices are followed without unduly slowing down the rate at which applications are being built and deployed. Application developers typically resent tools and platforms that generate too many false-positive alerts that wind up being a distraction that inhibits their ability to focus.
Application developers don’t typically allocate much time to creating patches for applications, so the more tools can identify relevant issues as developers are actually writing code, the more likely it becomes developers will embrace DevSecOps practices. That’s crucial at a time when more developers are starting to rely more on AI to write code that might not be secure. The general-purpose large language models (LLMs) that these AI tools are based on have been trained using code of varying quality that has been aggregated from across the Web. As a result, it’s not uncommon for these tools to generate vulnerable code.
Hopefully, LLMs that have been trained using code that has been vetted for vulnerabilities should generate code that is more secure than what many human developers can currently produce. In the meantime, however, providing application developers with tools that discover issues as they write code should reduce the overall number of application security incidents that might occur later on.