Secure Code Warrior this week extended the capability of its artificial intelligence (AI) agent to make it possible to surface relevant training insights in real time as application developers are writing code.
Announced at the Gartner Security & Risk Management Summit, the Adaptive Learning capability added to the company’s learning platform detects which AI tools each developer is using, down to the lines of code they commit, and automatically surfaces relevant training to enable developers to identify compliance issues and remediate vulnerabilities discovered in their code repositories.
The SCW Trust Agent is able to discover those vulnerabilities by importing application programming interface (API) data from Checkmarx, SonarQube, and Parasoft as well as uploads of Static Analysis Results Interchange Format (SARIF) files.
DevSecOps teams can also map vulnerabilities to repositories and contributors and track tasks assigned and completed to evaluate how application developers are progressing over time.
Finally, policies can be set that automatically assign targeted micro training to specific developers based on vulnerabilities discovered.
Secure Code Warrior CTO Matias Madou said this extension to the SCW Trust Agent makes it possible for organizations to, for example, provide highly personalized training that prevents application security issues that might later have to be addressed in a production environment from ever arising in the first place.
It’s too early to determine what impact AI will have on the quality of applications. The first wave of AI-generated code is creating more vulnerabilities to remediate simply because much of the code generated is derived from examples of often flawed code pulled from a wide variety of sources. However, as the reasoning capabilities of the large language models (LLMs) used to generate code improve, many of the vulnerabilities that were once routinely created by humans and machines alike are starting to diminish.
The SCW Trust Agent takes that capability to the next logical level by adding an AI agent that is specifically trained to identify issues in code as it is developed, said Madou. That capability, in addition to making it easier to debug code generated by an AI coding tool, also helps identify weaknesses, such as bloated code, that might unnecessarily increase the overall size of the attack surface that needs to be defended, he added.
Mitch Ashley, vice president and practice lead for software lifecycle engineering at the Futurum Group, said a governance layer for AI-generated code is consolidating above the scanners, with secure-code training repositioned as a commit-level signal tied to AI attribution. Security and engineering teams now need to make a different decision because point-in-time scanning cannot prove which contributor, human or agent, produced and remediated a vulnerability, he added.
Auditable per-developer evidence becomes the requirement that compliance and AI now make it impossible to defer, said Ashley.
Regardless of that approach, the one thing that is clear in the AI era is there needs to be a lot more emphasis on preventing as many vulnerabilities as possible from ever being created in the first place.