The volume of code needed is greater than ever while cycles to produce said code are shrinking. One of the consequences of this is security has become secondary – both because of lack of training in secure code practices and having the cycles to fix vulnerabilities. In a Developer Survey of over 1,000 U.S. IT professionals, over a third of developers reported spending up to 33 percent of their time fixing bugs and vulnerabilities instead of writing code. This is further compounded by noisy vulnerability detection tools that produce large volumes of false positives, making prioritization even more difficult.
Qwiet AI is improving the speed to secure code and simplifying the process to get there. Qwiet AI’s best in class accuracy in finding vulnerabilities reduces the load on development teams to fix, and then goes a step further by providing AI generated AutoFixes to turn the process of remediating from hours to minutes.
“Qwiet AI gives us the speed and accuracy that we need to create security feedback loops for our development team without altering their workflows. Not only are we seeing month-over-month decline in MTTR, but it’s now common for vulnerabilities to get fixed in the same sprint they are found, and, most importantly, our engineers really like the process.” CISO at Leading global airline
Qwiet AI is the first in the AppSec industry to provide AI-powered detection of vulnerabilities in code with increased accuracy and at a fraction of the time compared to legacy competitors. False positives and alert fatigue stem from one key part within AppSec testing tools – scanning methodology. What this means is that legacy tools typically utilize a “localized” scanning method that examines code in siloed blocks without considering the rest of the application. How the data flows throughout the application is left unexamined, leading to results with low accuracy.
Here is how Qwiet AI stays ahead of the curve. Qwiet AI’s preZero platform leverages a Large Language Model (LLM) that has been trained on over six years of data culminating in over 78 billion lines of code. When the preZero platform conducts a scan, it creates a Code Property Graph (CPG) of the application. This is a holistic approach, scanning the entirety of the application and how data flows through the code. A CPG is a visual concept that takes multiple graphical representations of code and merges them into a layered graph perspective. Through this method, scans take minutes rather than hours, find fewer false positives, see the reach of a potential vulnerability and provide real-world perspectives on how the threat itself would be approached and abused.
“The CPG analysis is of high quality and value. Open-source tools cannot provide this without a decent amount of effort, and competitors we have tested don’t match the performance.” AppSec leader at leading global financial services firm
Reinforcing Qwiet AI’s momentum and mission to make insecure code an issue of the past, the company recently released AI AutoFix, a powerful tool that leverages generative AI to automatically produce code suggestions when vulnerabilities are identified. This significantly reduces work and time spent by developers researching potential fixes and keeps teams in a flow state where they can continue to produce secure code.
“We can trace the origin of almost all cyber attacks to insecure code,” said Stuart McClure, CEO of Qwiet AI. “Developers are pressed with tighter deadlines, spending countless hours chasing vulnerability fixes and experiencing burnout. With the advent of AI-powered AppSec solutions, we have a real answer to eliminating vulnerabilities as we find them.”
“In a world where developers want to move fast, but the cyber team always want to re-risk, bringing these two elements together represents a much-needed point of fusion,” said Chris Hatter, Qwiet AI CISO.
What would you do if you could free up 10,000 hours? In a comparison of 10 applications totaling 4.9 million lines of code with a customer’s legacy competitor, Qwiet AI found 522 vulnerabilities compared to the legacy competitor’s 2,928. Upon review, Qwiet AI returned 28 false positives while the competitor returned 2,339 – that is a false positive rate of 79.9 percent for the legacy competitor and 8 percent for Qwiet AI. To address the legacy competitor’s findings, it would take approximately 4 hours to research and fix each vulnerability and would take approximately 11,712 hours, compared to Qwiet’s findings which would take approximately 2,088 hours to remediate, saving the customer 9,624 hours. It is clear that as the cyber threat landscape continues to evolve, AI-powered solutions will be an essential part of every developer’s tool kit. To see for yourself, check out the preZero platform or request a demo.
@QwietAI on Twitter #AppSec #DevSecOps #Developers #QwietAI
About the Author
Pete Green, vCISO, Cybersecurity Consultant and Reporter for CDM. Pete Green has over 20 years of experience in Information Technology related fields and is an accomplished practitioner of Information Security. He has held a variety of security operations positions including LAN / WLAN Engineer, Threat Analyst / Engineer, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Manager / Director of IT, CTO, CEO, and Virtual CISO. Pete has worked with clients in a wide variety of industries including federal, state and local government, financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality. Pete holds a Master of Computer Information Systems in Information Security from Boston University, an NSA / DHS National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA / CD), and a Master of Business Administration in Informatics. Pete can be reached online at ([email protected], @petegreen, https://linkedin.com/in/petegreen ) and at our magazine’s website https://www.cyberdefensemagazine.com