Legit Security this week added an ability to determine the level of risk a vulnerability actually represents to its application security posture management (ASPM) platform.
The company is also adding an ability to discover and analyze security risks created by application programming interfaces (APIs).
Legit Security CTO Liav Caspi said that level of context provides DevOps teams with the insights required to better prioritize remediation efforts by, for example, identifying the degree to which an affected software component might be reachable from the internet.
That capability is critical because not every vulnerability that has been assigned a high score by a cybersecurity team is automatically a threat to application security, he noted. In fact, many application development teams waste a significant amount of time searching for vulnerabilities in code only to discover that the potentially impacted component isn’t running in memory or connected in any way to the internet, added Caspi.
The ASPM platform developed by Legit Security makes use of machine learning algorithms, generative artificial intelligence (GenAI) and other data science techniques to identify application security issues such as secrets exposed in code repositories, source code management (SCM) tools, tools, logs, artifacts and documentation. Accessed via a software-as-a-service (SaaS) platform, it also enables DevSecOps teams to apply preventive guardrails on developer endpoints using the Legit command line interface (CLI).
Most organizations have limited resources that can be applied to remediation so ensuring the time allocated to these tasks is put to the best use is crucial. Too often application developers will focus on resolving the easier issues rather than developing a patch for a more critical vulnerability that may be more difficult to fix.
The ASPM platform developed by Legit Security analyzes what sensitive data, application programming interfaces (APIs) and other services might be reachable via a vulnerability to enable DevSecOps teams to identify which applications security issues are the most pressing, said Caspi.
Additionally, the Legit Security platform will also use those insights to generate a software bill of materials (SBOM) that can be continuously updated, he added.
While a lot of progress has been made in terms of adopting best DevSecOps workflows, it’s clear there remains a significant amount of work to be done. The pace at which code is being created is only going to increase in the age of AI. The challenge is many of the AI tools used to generate code were trained using examples of code of varying quality that were collected across the internet. The probability that these tools will generate vulnerable code is high. The only way to practically address that issue will be to rely more on AI platforms to identify issues in code created using AI.
Ultimately, that approach should improve the overall security of applications, however, in the short term at least, the overall security of application environments given the amount of code being created might actually worsen before it hopefully gets better. In the meantime, DevSecOps teams would be well advised to scan as much code as possible for vulnerabilities that if not discovered cybercriminals will only be too happy to exploit.
