Appknox today added an ability to apply artificial intelligence (AI) to assess vulnerabilities in the binaries used to construct a mobile application and recommend a fix that can be passed on to an AI coding tool to implement.
Company CEO Harshit Agarwal said KnoxIQ provides an AI copilot to more accurately assess how exploitable a vulnerability within a mobile application is versus relying on a generic Common Vulnerability Exposure (CVE) score.
Once assessed, it then becomes possible to recommend the best way to remediate that vulnerability using whichever AI coding tool a software engineering team has adopted. The key difference is that Appknox is able to continuously analyze compiled applications based on runtime behavior rather than static code alone to provide more accurate detection of vulnerabilities, said Agarwal.
While the degree to which application developers have adopted AI may vary, the one thing that is clear is the way vulnerabilities are patched is fundamentally changing. Instead of manually creating and testing a patch, application development teams are increasingly relying on coding tools to create a patch based on known best practices for remediation. If for some reason the patch breaks an application, an AI coding tool now makes it possible to replace that patch with another in a matter of minutes rather than days, noted Agarwal.
There will always be a need for a human to be involved in that DevSecOps workflow, but the overall pace at which vulnerability issues are resolved will be greatly accelerated, he added.
That capability makes it more feasible for software engineering teams to create and apply a patch without necessarily having to rely on the developer that initially wrote code that created the vulnerability. In fact, there may come a day when application security starts to substantially improve as the number of vulnerabilities finding their way into production environments start to be substantially reduced.
Mitch Ashley, vice president and practice lead for software lifecycle engineering at the Futurum Group, said AI is clearly shifting vulnerability assessment from generic CVE scoring toward context-aware exploitability analysis that routes directly into automated remediation workflows. Appknox’s KnoxIQ reflects a broader pattern: security tooling competing to own the connection between vulnerability intelligence and AI coding, he added.
For application security teams, the exploitability context that once required manual expertise can now feed directly to an AI coding tool, compressing remediation from days to minutes, noted Ashley. Teams that treat assessment and remediation as separate workflows will soon find that the gap between them becomes a bottleneck in AI-accelerated development pipelines, he added.
Unfortunately, in the short term AI coding tools have tended to create more vulnerabilities simply because they are dependent on large language models (LLMs) that were trained using many examples of flawed code collected from publicly available websites. However, as agentic AI continues to evolve AI agents specifically trained to discover and remediate vulnerabilities will be added to DevSecOps workflows. As that shift occurs, the overall state of application security should improve even as adversaries also adopt AI to find ways to exploit vulnerabilities faster than ever.
from DevOps.com https://ift.tt/eYs8gWr
Comments
Post a Comment