Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

The latest executive order on cybersecurity issued today, Jan 16 2024, covers a lot of ground across multiple cybersecurity domains, from software security to post-quantum cryptography. The White House is sending a clear message to both the public and private sectors that the threats from foreign adversaries are more dire than ever. It comes at a time when we see increasing evidence of foreign adversaries compromising organizations key to running a free and open society. Some of the more infamous examples include the SolarWinds attack in 2020 and the MOVEit attack in June 2023, which impacted the Department of Energy among other government entities. There are plenty more out there with less notoriety, and many will likely be discovered.

This new EO doubles down on EO 14028 and the importance of operationalizing software security. It highlights that despite best efforts, government suppliers and entities still struggle to produce secure software. The key takeaways for Application/Product Security leaders would be:

  • The government is demonstrating its concern about software suppliers committing to software security processes that include the timely remediation of vulnerabilities but do not deliver.
  • NIST 800-218 is in for a meaningful update. According to the EO, the update will cover “practices, procedures, controls, and implementation” for developing and delivering secure software.
  • The security of AI code generation capabilities and their output was explicitly called out. Multiple studies have shown that AI-generated code is indeed vulnerable. (See “Cybersecurity Risks of AI-Generated Code, Center for Security and Emerging Technology”)
  • Start laying the foundation for a post-quantum world where our existing cryptographic controls are deteriorated, if not useless.

We’re in a new age of software security. It has become more complex, not less. AI adoption is on the rise, developers are using co-pilots, and employees who were previously unable to code can now code. This is on top of an already very complex attack surface.

What are some immediate actions you can take to advance your application/product security program and deliver on the guidance supplied in this new EO?

Navigating the New Age of Software Security

  • Formalize your Secure Software Development Pipelines, even if you’re not directly engaging with the government.
  • NIST 800-218 is an excellent guide to getting started. If you haven’t compared and contrasted your internal application security program to the guidance in NIST 800-218, I’d highly recommend that you do. Qwiet.AI and many of our industry peers can undoubtedly assist in modeling your maturity and charting a plan that enables your appsec program to be tailored to your business needs.
  • Integrate effective tools into your developer’s IDEs and CI/CD pipelines and empower developers to act independently.

AI: A Blessing and a Curse for AppSec

Investing in AI solutions is a must to get ahead of the wave.

  • The curse is more vulnerable code. According to GitHub, developers equipped with a co-pilot generate code 55% faster and 46% of the code is completed by the co-pilot.
  • The blessing is AI will unlock incredible new innovations and serve as the solution to scaling application security teams to the point that we can actually “bend the curve” to fix faster than we find.
  • Autofix solutions on the market today are giving developers the head start they need to fix security vulnerabilities while remaining productive in building features.
  • If you’re experimenting with AI products or your business is using AI to deliver services, you need to ensure you have a strong AI governance model in place. Try to avoid overcomplicating matters of security policy. Lean on pre-existing policies governing data security and code.

Post-Quantum Preparation

The EO suggests that the time is now to prepare for post-quantum and real risks to our cryptographic controls. Realistically speaking, we still seem to be a ways away from this. As an example, experts predict that about 4 million qubit (basic unit of information in quantum computing) are required to break RSA within a reasonable timeframe. Google’s new Willow Supercomputer, while an incredible new innovation, has 105 qubits. Regardless, I’d recommend:

  • Familiarize yourself with NIST’s guidance: https://www.cisa.gov/quantum
  • Consider engaging a few vendors in the market to see what solutions are readily available.

Looking Ahead

Most of this executive order is common sense guidelines given the current threat landscape. There is an acknowledgment of concern that organizations are not fixing the vulnerabilities they find. We, on the vendor side, need to do all we can to equip our customers with the tools and techniques they need to bend the curve and start fixing more than we find… and ultimately, prevent the volume of security flaws that we see in code.

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

Cybersecurity
May 29, 2024 3 min to read

GitHub Copilot & Advanced Security : The Fox Guardin...

by Team Qwiet

GitHub Copilot, the AI-powered coding assistant, has emerged as a game-changer in the software development landscape. By harnessing the power of generative AI, Copilot promises to accelerate coding tasks, boost developer productivity, and even democratize coding by making it more accessible to newcomers. However, as with any transformative technology, there are caveats. In Copilot’s case, […]

READ MORE
AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE
AI Cybersecurity
April 29, 2024 10 min to read

Revolutionizing Vulnerability Detection and Patching

by Chetan Conikee

In the ever-evolving landscape of software development, ensuring the security of applications has become a paramount concern. As cyber threats continue to grow in sophistication, it is crucial for developers and security professionals to stay ahead of the curve. This article explores a groundbreaking approach that combines the power of Code Property Graphs (CPGs) and […]

READ MORE

Read Next

Cybersecurity
December 22, 2021 6 min to read

Looking back on the Log4j Weekend

By now you’ve probably already heard of the name “Log4j”. What happened Late November this year, a Chinese researcher named Chen Zhaojun privately disclosed to Log4j maintainers that version 2 of Log4j contains a critical vulnerability that allows unauthenticated remote code execution (RCE) in applications that utilize the library. On December 9th, the vulnerability was […]

READ MORE
AppSec Cybersecurity DevOps Engineering
September 19, 2023 5 min to read

Jenkins Plug-In Vulnerabilities: September 2023

by Bruce Snell

At the end of August 2023, Jenkins announced it experienced 79% growth between June 2021 and June 2023. With an estimated 44% market share, Jenkins is a critical technology automating CI/CD pipelines.  As a technology pervasive across the developer community, the Jenkins vulnerabilities announced on August 6, 2023, will likely attract attackers seeking to infiltrate […]

READ MORE
Engineering
September 21, 2021 6 min to read

Add Security, Not Headaches, to the SDLC

How to integrate security into the SDLC successfully The world has an insecure software problem, which is why 84% of cyber attacks focus on the application layer. Two major factors have contributed to the writing of insecure code — cumbersome security analysis tools and a strong drive to reach the market quickly. For things to […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In