Micro Focus is now part of OpenText. Learn more >

You are here

You are here

3 ways AI will advance DevSecOps

Joseph Feiman Chief Strategy Officer, WhiteHat Security

To some, artificial intelligence and machine learning may still seem like far-off concepts. But the reality is tht enterprises are already adopting these technologies, and many experts believe that 2019 may be the year AI and ML move to the mainstream. Not surprisingly, security looks to be one of the leading drivers of that adoption.

In a recent survey of enterprise IT by 451 Research, "Voice of the Enterprise: AI & Machine Learning—Adoption, Drivers and Stakeholders," almost 50% of respondents indicated that they have deployed or plan to deploy machine learning in their organizations in the next 12 months. The same study revealed that security is the second most important reason for applying machine learning in enterprises. Enterprises see it as a key use case for the next two to three years.

This makes sense when you consider the major advantages AI provides to modern cybersecurity applications. The ability for applications to learn based on experience, and then use that knowledge to inform their behavior when confronted with similar issues in the future, delivers a significant benefit compared to more traditional passive applications.

As security drives adoption of AI, can expect to see its implementation in DevSecOps, the effort to marry DevOps and security on a single team focused on delivering new and secure applications more quickly.

Adding security to the DevOps mix has become increasingly important with the rapidly accelerating pace of the modern development cycle. Despite that, acceptance of DevSecOps in IT operations has been somewhat lagging. But that could soon change, thanks to AI.

Here are three ways AI will advance and reignite interest in DevSecOps in 2019.

Reduce security review time

The biggest challenge to DevSecOps is how to get new applications to market at the pace demanded by business while thoroughly assessing potential security risks. With the growing pressure to get applications into production in real time, app sec teams are constantly caught between the need to keep pace with security testing and the ability to help developer teams operate as quickly as possible.

That's why the biggest resistance factor to DevSecOps has been the amount of time it takes to test applications for vulnerabilities. Security reviews have slowed down DevSecOps to to such a degree that they actually de-incentivize its use. When deadlines are tight, it's easy for developers to skip key security risk-assessment procedures.

But thanks to the speed and accuracy of AI technologies, developers can hit tight production deadlines while still carrying out comprehensive application security vulnerability checks. AI software can dramatically decrease threat vector identification times and improve the efficiency of false positive identification.

That means you can increase the speed at which developers learn about potential application security vulnerabilities and deliver real-time security risk assessments.

Manage the cybersecurity expertise shortage

The lack of cybersecurity experts has gained much attention, and rightfully so. Even as cyber attacks and data breaches become increasingly common, companies across industries face a severe shortage of cybersecurity skills. 

While it may run counter to preconceived notions about AI replacing humans in the workforce, for all its advantages, AI—and machine learning, in particular—still heavily depends on humans. For machine learning to successfully learn and adapt, human monitoring and continuous input are required. It is the only way to guarantee that you're using the correct data to arrive at the right conclusions.

As AI technologies become more prevalent within DevSecOps processes, they should help alleviate the chronic shortage of cybersecurity experts. This will happen by driving a need for a new breed of data scientists and security professionals who can train AI models on what to look for. These people will need to know computer science and data science, and, above all, have sufficient domain security expertise to be able to tell the bad data from the good, and bad results from good ones.

Human monitoring makes it possible to detect whether datasets are becoming corrupted, to test whether the conclusions produced are correct, and to help guarantee compliance. Machine learning is only as good as the humans who program the software to ask the right questions and ensure it is presented with the right data to learn.

AI and machine learning are not some kind of silver bullet that can defeat all types of cybersecurity threats. That's because these same technologies are also being adopted by hackers and criminals. This fact only further highlights the need for humans who can identify the policies, procedures, processes, and countermeasures needed to keep an organization safe. 

Teach developers about potential security mistakes

Another positive outcome of integrating AI technologies into DevSecOps is that it can help developers continually improve their craft, and, in turn, help them and their companies achieve industry leadership. It can do this because AI enables developers to identify and learn from their mistakes without having to disclose them to the rest of the DevOps team, sparing them any humiliation they might have otherwise suffered. Developers can then take that knowledge and move forward with confidence to their next project.

Another benefit: When given the choice of thoroughly checking for vulnerabilities or being reprimanded for delivering their code late, many developers opt to take their chances on a breach so as to ensure that they meet their deadline. AI eliminates that risk by allowing developers to quietly address vulnerabilities in their code long before the application goes into production.

AI can also increase security skills by providing customized secure code patterns that can fix detected vulnerabilities. Developers can learn those patterns and apply them in the future.

The move toward mass scale is on

AI has already made its way into some cybersecurity processes, and it's only a matter of time before it is being used to automate cybersecurity on a massive scale. As that happens, it seems the best place to implement AI is early in the development cycle, making it a natural fit for DevSecOps.

Keep learning

Read more articles about: App Dev & TestingDevOps