DevSecOps

WhiteHat Security Looks to AI to Advance DevSecOps

WhiteHat Security is now embedding artificial intelligence (AI) into the application security review services it provides, as part of an effort to advance adoption of DevSecOps processes.

Joseph Feiman, chief strategy officer for WhiteHat Security, said the biggest resistance factor to DevSecOps has been the amount of time it takes to test applications for vulnerabilities. By injecting machine learning into that process via a suite of WhiteHat Sentinel Dynamic tools, which are being made accessible as a software-as-a-service (SaaS) application, developers will be more inclined to conduct security reviews as part of an integrated DevSecOps process, he said.

The AI engine identifies vulnerability patterns in a code-based data lake of 95 million identified vulnerabilities that WhiteHat Security has identified via its dynamic application testing service (DAST). WhiteHat Sentinel Dynamic identifies known vulnerabilities in seconds, Feiman said, and any anomalies indicative of potential unknown vulnerabilities are then reviewed by human WhiteHat Security cybersecurity experts.

Feiman said DevSecOps is going through a period of disillusionment because security reviews of code are taking too long. AI technologies represent an opportunity to reignite interest in DevSecOps by giving developers more control over an application security review process that no longer slows down development.

In addition, WhiteHat Sentinel Dynamic enables developers to learn about their potential mistakes without necessarily requiring them to disclose them to the entire DevOps team. Any humiliation a developer might experience is avoided when the developer conducts the security review prior to committing code. IT security teams are still in charge of creating the policies that need to be implemented, but processes associated with implementing those policies make a decidedly shift left to the developer, he said.

Feiman noted that the rise of AI within DevSecOps processes may help alleviate some of the current chronic shortage of cybersecurity expertise. There will always be a need for human cybersecurity researchers to train AI models what to look for as new vulnerabilities are discovered. But algorithms never take a day off or decide to abruptly quit because they suddenly got a better offer.

It may take a while for IT organizations to completely trust AI engines to scan code for vulnerabilities. But currently many applications are not being reviewed at all because any time set aside to conduct that reviews is being eaten up by an application development process that has fallen behind schedule. Too many developers would still prefer to take a chance on a breach than be reprimanded for delivering code late, especially when there’s a chance to address vulnerabilities that might get discovered in the next scheduled release of a patch. WhiteHat Security is making the case for eliminating much of that risk by making it feasible for developers to quietly address vulnerabilities long before an application is deployed in a production environment.

There’s no doubt that AI soon will be employed to automate large swaths of cybersecurity. But it may turn out that the most effective place to apply AI from a cybersecurity perspective early in the DevOps process as possible.

Mike Vizard

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Recent Posts

Building an Open Source Observability Platform

By investing in open source frameworks and LGTM tools, SRE teams can effectively monitor their apps and gain insights into…

7 hours ago

To Devin or Not to Devin?

Cognition Labs' Devin is creating a lot of buzz in the industry, but John Willis urges organizations to proceed with…

8 hours ago

Survey Surfaces Substantial Platform Engineering Gains

While most app developers work for organizations that have platform teams, there isn't much consistency regarding where that team reports.

1 day ago

EP 43: DevOps Building Blocks Part 6 – Day 2 DevOps, Operations and SRE

Day Two DevOps is a phase in the SDLC that focuses on enhancing, optimizing and continuously improving the software development…

1 day ago

Survey Surfaces Lack of Significant Observability Progress

A global survey of 500 IT professionals suggests organizations are not making a lot of progress in their ability to…

1 day ago

EP 42: DevOps Building Blocks Part 5: Flow, Bottlenecks and Continuous Improvement

In part five of this series, hosts Alan Shimel and Mitch Ashley are joined by Bryan Cole (Tricentis), Ixchel Ruiz…

1 day ago