Cycode has added a static application security testing tool to its application security posture management (ASPM) platform that promises to reduce the number of false positives generated by rival tools.
Devin Maguire, senior product marketing manager for Cycode, said the SAST tool takes advantage of a proprietary platform that uses OWASP benchmarks achieving a 2.1% false-positive rate, representing a 94% improvement over rival open-source SAST tools.
Cycode is adding a SAST capability, at a time when many rivals that have been relying on open source semgrep SAST tools are trying to adjust to changes in the terms under which the software is licensed. Rather than relying on that tool, Cycode determined it could extend the reach of its code ASPM engine to provide a more accurate SAST tool capable of scanning multiple files simultaneously, said Maguire.
One of the frustrations that many DevSecOps teams have with their current SAST tools is that they scan individual files. That approach provides faster feedback at the cost of increasing the number of false positives created, noted Maguire.
That issue eventually leads to distrust among developers who resent having to spend time tracking down issues in code that don’t really exist, he noted.
Coupled with the Cycode ASPM platform, DevSecOps teams can also take advantage of artificial intelligence to prioritize remediation efforts using suggestions that are automatically generated for them, said Maguire. That’s crucial because it enables DevSecOps teams to ensure they gain and maintain the trust of the application developers they serve, he added.
It’s not clear to what degree changes to the Semgrep licensing model are disrupting DevSecOps workflows, but Cycode claims that, in addition to reducing the number of false positives, it is more extensible.
Cycode last year acquired Bearer, a provider of a set of tools for static application security testing (SAST), discovering application programming interfaces (APIs) and identifying sensitive data. Cycode has been at the forefront of the rise of ASPM platforms that continuously ingest data to identify and assess application security risks. Those platforms provide a foundation for consolidating many of the tools that DevSecOps teams currently rely on to secure applications before they are deployed in production environments.
That approach makes it simpler to surface issues at the time code is being written versus after it has already been added to a production environment.
The challenge, of course, is that the amount of code being created is increasing exponentially as application developers rely more on AI coding tools. Unfortunately, many of those tools were trained using samples of code pulled from public repositories, much of which is rife with vulnerabilities. DevSecOps teams need to ensure that any vulnerability generated by those AI tools doesn’t find its way into a software build. The only way to practically achieve that goal is, of course, to rely more on AI to discover and remediate those vulnerabilities.
Hopefully, as AI makes it simpler to ensure best DevSecOps practices are followed, the number of cybersecurity incidents traced back to vulnerabilities in applications will finally begin to shrink.
