AI augmentation in security software

March 2024 Security Services & Risk Management, AI & Data Analytics


Paul Meyer

If you missed it, the first article in this series can be found at www.securitysa.com/21546r.

Static Application Security Testing (SAST) is defined as the products and services that analyse application source byte, or binary code for security vulnerabilities. These tools are one of the last lines of defence to eliminate software security vulnerabilities during application development or after deployment.

These software security tools and services report weaknesses in source code that can lead to vulnerabilities that can be exploited, which can, of course, lead to a breach and subsequent damage to your organisation. SAST enables companies to assess and transform their security posture.

This paradigm shift in static analysis dramatically increases return on investment as the time and cost of audit results decrease substantially. Rather than reducing the breadth of security issues, scan analytics platforms can distinguish non-issues from the real thing, and they can do this automatically. This innovative approach utilises big data analytics to scale secure software assurance to the enterprise without sacrificing scan depth or integrity.

Automated application security must be built into their processes, especially as businesses transition to DevSecOps environments. Automation reduces the repetitive, time-consuming work of issue review through the scan analytics platform.

Human intervention is still needed

SAST reports categorise issues in terms of criticality, but they must then be manually confirmed by expert application security auditors as either exploitable or not a problem. These specialists are required to validate findings using details specific to the enterprise, such as the context of an application and its deployment. Time-consuming audits have traditionally come at a significant cost to businesses and expose fundamental challenges attached to delivering secure applications.

The much-reported cybersecurity skills gap adds to the challenge of software security assurance. Static analysis tools make the impossible job of securing code possible, and a skilled auditor’s software security expertise verifies actionable findings. Even the best security teams are ultimately limited by the human experience available. However, this often pales into insignificance compared to the innumerable software flaws companies can be exposed to.

This is where machine learning (ML) comes to the fore with the next evolution of applications making the process of securing developing ones quick and efficient. These techniques extend the reach and better scale the expertise of security professionals through the entire development lifecycle.

ML coupled with predictive analytics - the next generation of SAST - provides actionable intelligence with problems being assessed by scan analytics platforms.

AI-driven static analysis and ML vastly increase speed and accuracy in application security by running thousands of static, dynamic, and mobile scans per week, scanning billions of lines of code. The scan results are then passed to a team of expert auditors who identify and prioritise the findings.

In this way, it is possible to confidently assess the vulnerability and complexity of threats and determine how issues must be categorised, for example, labelling them as exploitable, indeterminable, or not a problem.

Through ML technologies, a company’s application security program can become more efficient and effective without expanding headcount or allocating additional budget. This shift in SAST from scarce human expertise to the limitless scalability of AI can reduce non-issue findings by up to 90 percent. 

Conclusion

Enterprises no longer need to accept noisy scan results, nor do they need to make trade-offs between scan comprehensiveness and time-to-audit. It is also not necessary to negatively impact product delivery dates with scan review time. Classifiers trained on anonymous issue metrics can reduce the expense of software security assurance programs without the risk of identifiable data being transmitted to the cloud. Today, it is possible for businesses to reduce their overall security workload through vulnerability prediction software.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Cybersecurity needs actual intelligence before artificial intelligence
Information Security AI & Data Analytics
Cybersecurity depends on interpretation. A tool can tell you that something unusual has happened, but people need to determine whether it is a genuine risk, the business impact, and how to respond without causing unnecessary disruption.

Read more...
Identity recovery matters most
Security Services & Risk Management
As cyberattacks grow more targeted, more destructive, and increasingly aimed at the very fabric of trust within the enterprise, the ability to restore identities has become just as critical as restoring data.

Read more...
ISO 27701 helps demonstrate privacy compliance beyond POPIA
Security Services & Risk Management
ISO 27701 include privacy-specific controls and provides a structured way to manage Personally Identifiable Information (PII) throughout its lifecycle, giving organisations a way to demonstrate how privacy is managed.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Increase in cyberattacks on the manufacturing sector
Security Services & Risk Management News & Events Industrial (Industry)
According to a new Kaspersky ICS CERT report, in the first quarter of 2026, the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19,6% globally.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
The risk at the edge of South Africa’s agriculture supply chain
Security Services & Risk Management Agriculture (Industry) Logistics (Industry)
Research from ESET has found that a significant number of South African agritech operators and farmers continue to believe their companies are not attractive targets for cybercriminals. Unfortunately, that belief is precisely what makes them one.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...
Break the silence on fraud
Security Services & Risk Management
We are entering a new era of fraud, one defined by groups that operate across borders, using advanced digital tools and impersonation tactics to deceive victims and wear down communities' trust and financial security.

Read more...
Africa’s white-collar crime landscape
Security Services & Risk Management
White-collar crime in Africa is no longer a predominantly domestic concern; it has expanded onto the international stage, and so too has the corporate exposure that accompanies it.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.