Prime Security today emerged from stealth to make available a beta version of a platform that leverages artificial intelligence (AI) to ensure the appropriate guardrails are being followed as software is developed.
Fresh off raising $6 million in funding, Prime Security CEO Michael Nov said the goal is to make it simpler for software engineering teams to follow Secure By Design principles.
At the core of the Prime Security platform is a context-risk engine that leverages multiple types of AI models to identify security issues before applications are deployed in production environments.
The primary reason there are so many application security issues these days is that actual risks were never properly assessed in the first place. The AI models created by Prime Security have been trained using best practices defined by multiple security frameworks that make it easier to identify issues as applications are being created versus long after they have been deployed and potentially exploited, noted Nov.
Typical issues the Prime Security platform will surface include errors in authorization logic, unencrypted sensitive data, expired sessions, and improper role-based access control, unapproved external entities, unrestricted network access, administrative tasks assigned to low-privileged accounts, insufficient audit trails, and unauthorized transfer of personally identifiable information (PII).
The Prime Security platform has also been integrated with tools such as Jira and Confluence from Atlassian to help manage the overall remediation effort.
It’s not clear to what degree the application security issues organizations regularly encounter might be resolved by AI, but at the very least AI can make it easier to identify issues. That’s critical because while a lot of DevSecOps progress has been made, most application developers that generally don’t have a lot of security expertise, noted Nov.
No developer deliberately sets out to build and deploy an insecure application, but the level of cognitive load they are expected to attain and maintain as it pertains to application security issues is simply too high. Scanning tools have come a long way in terms of making it easier to identify issues as code is being written, but there are a host of other potential DevSecOps issues that without the aid of an AI platform can be easily overlooked.
Unfortunately, cybercriminals have become a lot more adept at scanning for these vulnerabilities, many of which after an application has been deployed or updated are being exploited. In effect, AI presents an opportunity to close the cybersecurity skills gap that exists within many application development teams, said Nov. Usage of AI to address long-standing DevSecOps challenges is arguably long overdue, he added.
While it’s clear more organizations than ever are applying AI to application development, most of them are not very far along in terms of specifically using AI to improve application security. Depending on the skills of the developer, in some instances, AI tools and platforms might improve the security of the code being written. In other instances, those tools might generate code that has known vulnerabilities because they were trained using examples of code of varying quality collected from across the internet. The only way to address that issue, however, may be to rely more on AI to govern the software development process, regardless of whether the code was created by a human or a machine.
