Veracode today revealed an alliance through which it will integrate its application security posture management (ASPM) platform with the cloud native application protection platform from Wiz.

Derek Maki, head of product at Veracode, said the connectors provided will make it simpler to correlate risks discovered in source code using Veracode Risk Manager (VRM) with the threats discovered in production environments using the Wiz cybersecurity platform, including known vulnerabilities and misconfiguration findings.

Any security threat discovered by Wiz will also be fed directly into VRM to enhance its risk scoring model in a way that should enable DevSecOps teams to better prioritize their remediation efforts, he added.

The overall goal is to bolster efforts to shift more responsibility for application security left toward developers by providing them with the additional context needed to fix issues before code is deployed in a production environment, said Maki.

It’s not clear how much progress is being made in terms of adoption of best DevSecOps practices, but a recent Futurum Group survey of cybersecurity leaders finds all are investing in software supply chain security, with ASPM and DevSecOps automation and orchestration topping the priority list, followed closely by security composition analysis (SCA) tools, application programming interface (API) security and dynamic application security testing (DAST) tools.

However, the source of the funding for these initiatives is becoming more shared, with only 21% of respondents reporting that security budgets are the sole source. In fact, half of the respondents (50%) noted that application development teams now own responsibility for application security.

Overall, only 25% of respondents said there is limited collaboration with application development teams, resulting in occasional friction, compared to 59% that said there is good collaboration with room for improvement. Only 16% said there is a tight partnership based on shared goals.

In general, the relationship between application development and cybersecurity teams has improved, but as artificial intelligence (AI) tools are used to write code, the number of vulnerabilities finding their way into source code has increased, said Maki. Most of the AI coding tools were trained using examples of flawed code collected from across the internet, resulting in output that contains many of the same vulnerabilities. Organizations, as a result, now need to scan more source code than ever for vulnerabilities that most application developers are still not going to easily recognize on their own, he added.

Hopefully, as more AI capabilities are added to application security tools and platforms, those vulnerabilities will be identified and remediated as code is created. Veracode, for example, is working on developing an AI agent that will use the data it collects to surface those issues faster, noted Maki.

In the meantime, DevSecOps teams should assume that much of the code being either written or generated by a machine today still has a significant number of vulnerabilities that at some point are likely to be exploited by cybercriminals who are also relying more on AI to find them.