Synopsys has partnered with NowSecure and Secure Code Warrior to enable organizations to better identify where they can improve DevSecOps best practices.
Scott Johnson, senior director of product management for the Software Integrity Group at Synopsys, said the data captured by the application security testing tools can now more easily be used to identify ongoing issues that, for example, can be used to create better mobile application security tests using the NowSecure platform.
That same data can also be fed into the online learning platform Secure Code Warrior provides to enable developers to improve their cybersecurity skills.
Collectively, those observability capabilities will significantly reduce the overall level of application security risk that organizations today experience, noted Johnson.
Secure Code Warrior CTO Matias Madou noted that improving the cybersecurity expertise of developers is more critical than ever. The more expertise they have the easier it becomes to remediate issues before and after applications are deployed in a production environment.
That’s going to become an even more crucial requirement as the rate at which code is being written increases exponentially with the rise of artificial intelligence (AI). While AI can improve the quality of code being written, it’s also likely an AI platform trained using code collected from the internet is going to introduce vulnerabilities. This is because the code used to train an AI model, such as ChatGPT, from a quality perspective is inconsistent, he added.
It’s not clear at what rate application security is improving due to the adoption of DevSecOps best practices, but as AI becomes more widely employed by developers a paradox is starting to emerge. There is no doubt vulnerabilities developers have inadvertently introduced are being eliminated by AI tools that surface examples of secure code for developers to copy and paste. However, not every example of code is completely devoid of risk, so there is going to be more code that needs to be scanned for vulnerabilities.
This issue will become particularly problematic as regulations making organizations more accountable for application security will become law in the months ahead. Thanks to AI, there is no doubt organizations will be building and deploying applications containing vulnerabilities at much faster rates.
The hope is that AI tools specifically trained to identify vulnerabilities will soon be embedded in the tools that developers and DevOps teams rely on to initially build and deploy applications. However, a gap is emerging between the pace at which AI tools are being used to build applications and the availability of tools using AI to first detect vulnerabilities and help automate the remediation process. As a result, application security issues, at least for the immediate future, will continue to bedevil DevOps teams.
Unfortunately, given the insecure code that has already been deployed, it may be years before application security issues are resolved to the point where the current level of stress for all concerned is meaningfully reduced.