Today is the day that all of us at ShiftLeft have been waiting for, the opportunity to share our value, vision and strategy to the world. The company has been reducing the noise that plagues the AppSec industry for some of the world’s largest companies through dramatic innovation like our code property graph and reachability analysis. But to go to the next level we must predict and prevent the unknown unknowns, the unknown vulnerabilities waiting to be discovered in unknown code. The only thing that I know can do this is Artificial Intelligence (AI).
Ever since the early days of Cylance, I realized that the application of AI/ML to the world of cybersecurity was not just necessary but inevitable. After experiencing both the offensive and defensive sides now for some 35 years, I can unequivocally tell you that there is no detect-and-respond solution that will ever predict, much less prevent, brand new and emerging cyberattacks from crippling and terrorizing their victims without AI.
The only hope we have is to learn from the past and predict the future, leveraging the near infinite learning potential of AI inside cybersecurity. To fix the cybersecurity problem for good, at its roots, we need to go where it all starts, the source: code. No credible discussion of protection can be had without starting at the coder and the systems they exist within. Up until now, we simply haven’t bridged the two worlds of AppSec and AI. That is about to change.
AI is near ubiquitous as of late with generational AI platforms like Dall-E 2 and ChatGPT having sparked the imagination of us all. The logical progression points to a world where the very code we rely on is generated by AI. Will it be secure? Well, if it is trained on the billions of lines of code that make up the world today, the answer is an emphatic “no.”
But what if there was a way to produce secure code from the start? There is the other side of AI, the one that learns from the past to predict the future through classification, and what I like to refer to as “predictive AI.” In this field, we can provide the greatest value to cybersecurity and finally learn from the past to predict and prevent future attacks.
Here’s my vision for the application of predictive AI in code science within cybersecurity:
- Train on all known code vulnerabilities, in all their variants, and learn what are the essential features of them all, including nuanced differences by language, framework, and library.
- Learn what code fixes are successful and apply similar fixes to custom code.
- In the world of auto-generated code, provide code-fixing recommendations while they are being generated to ensure safe and secure code.
To start bringing this vision to reality, we have integrated a powerful AI/ML engine into our platform to become the first in the DevSecOps industry to provide AI-powered detection of vulnerabilities in code. On top of the known vulnerabilities and heuristics detection engines, Qwiet AI now has a detection engine–powered by NumberOne AI–that finds not just zero-day, but pre-zero-day vulnerabilities enabling us to prevent the unpreventable.
In light of this new capability, we have also changed the name of our platform to preZero in order to better reflect the true preventative nature of how we deliver value to you through AI.
The addition of AI is just the beginning. To start a revolution in how our digital world becomes more secure, we need a holistic approach to looking at all the pieces of a successful attack and that includes the infrastructure which can be difficult to peer into.
This is where true innovation needs to come, in visibility and observability. And I know just the place to look to quiet the noise.