Kusari has added an artificial intelligence (AI) tool that runs a security risk assessment every time an application developer makes a pull request.
Company CTO Mike Lieberman said Kusari Inspector is designed to make it simpler for security to be shifted left toward application developers in a way that doesn’t impinge productivity.
Most application developers care about security, but getting the information they need to ensure it has historically been problematic, said Lieberman. Kusari Inspector makes use of AI and dependency graph analytics to surface issues long before vulnerabilities and other structural flaws are incorporated into a software build, he said.
Using a tool priced at $10 per seat per month, Kusari Inspector continuously learns about the codebase and individual application developer preferences, making it possible to generate instant, context-rich, annotated security reports with inline explanations for every new or updated pull request. Developers are then provided go/no-go guidance, remediation suggestions, and step-by-step instructions to mitigate risks such as exposed credentials, misconfigurations, typosquatted or maliciously named dependencies and prohibited licenses.
In addition to identifying those issues, Kusari Inspector will also rank risky, low-trust, or vulnerable dependencies—direct and transitive—based on multiple data sources to provide developers with a deeper understanding of application security issues, said Lieberman. Developers via a natural language interface can also chat with Kusari Inspector to clarify findings, customize recommendations, and set security standards.
Finally, Kusari Inspector will automatically generate and collect source data for a software bill of materials (SBOM) across all connected projects and repositories.
The core Kusari platform leverages AI to identify dependencies and understand the blast radius of incidents using metadata it collects from throughout the software supply chain. That capability is now being extended further left to provide application developers with a tool that enables them to write more secure code.
It’s not clear how much DevOps teams are investing in AI, but a recent Futurum Group survey finds that 41% of DevOps professionals expect generative AI tools and platforms will be used to generate, review and test code. A separate Futurum survey of cybersecurity leaders finds all are investing in software supply chain security, with application security posture management (ASPM) and DevSecOps automation and orchestration topping the priority list, followed closely by security composition analysis (SCA) tools, application programming interface (API) security and dynamic application security testing (DAST) tools. In addition, 30% of respondents expect to be piloting a software bill of materials (SBOM) initiative in the next 24 months/
However, the source of the funding for these initiatives is becoming more of a shared responsibility, with only 21% of respondents reporting that security budgets are the sole source. In fact, half of the respondents (50%) noted that application development teams now own responsibility for application security.
Overall, only 25% of respondents said there is limited collaboration with application development teams, resulting in occasional friction, compared to 59% that said there is good collaboration with room for improvement. Only 16% said there is a tight partnership based on shared goals.
Hopefully, AI tools will continue to close that gap in a way that reduces the current level of stress felt today by all concerned.
