The Magic of AI in Static Application Security Testing

Artificial Intelligence Through the Years

A few years back, when someone said "Artificial Intelligence" (AI), we immediately thought about Skynet, Terminator, Matrix, HAL 9000, J.A.R.V.I.S., and all the other SCI-Fi technologies we saw in movies. Since then, things have changed quite drastically. When you hear about AI, you expect a conversation about smart assistants like Siri, Cortana, Alexa, or you expect to hear about how IBM Watson won Jeopardy! by a healthy margin.

AI slowly went past the research phase and made its way into multiple industries including healthcare, fashion, weather forecasting, teaching, and driving. IBM even made Chef Watson cook some food (and it didn't even taste that bad). And thankfully, one of the disciplines where we see AI making a strong impact in the area of IT Security.

The Intersection of AI and Application Security Testing

IT Security is one of those places where there are nowhere near enough human resources to tackle the amount of information and data that are produced, let alone to stay ahead of threats. To tackle this problem, companies are turning to AI to help them go through tasks that can be automated and get their valuable security specialists to focus on vulnerabilities that pose immediate threats.

A core component of IT Security is the discipline of Application Security. That discipline focuses on strengthening applications by leveraging a number of tools and methodologies. A key tool in this space is Static Application Security Testing, also referred to as SAST.

SAST tests application source code, bytecode, or binaries. It can be described as a type of theoretical analysis, meaning that it identifies anything that could look like an issue without taking into account any information regarding what type of application is being scanned. Because of the way scans run, tools tend to generate a lot of results — often seen as noise or false positives. Going through these findings was a painful and slow effort, like looking for the proverbial needle in a haystack, presenting an interesting problem that could be tackled with AI.

Significant Benefits of AI

Given the success of AI in other efforts, In 2015, IBM experts decided to apply the technologies underlying Watson to this problem. After over a year of training and testing, the results have been more significant than initially foreseen. The Intelligent Finding Analytics (IFA) agent has proven itself to be very accurate, with an overall accuracy of over 98%, were nearly identical to that of capable and experienced application security experts, and we don't have a lot of them running around these days. One of the further benefits of using AI for this is the fact that machines don't get tired. In certain cases, it was reported that the system was more accurate than the human experts. This is very likely attributed to people become fatigued after hours of hunting for the real things.

The results: In terms of the number of false positives, by October 2016, the tool had reached a reduction rate of 98.91 percent!

And today, security experts from across a number of industries have reviewed and accepted that the capabilities of this AI in this space, and rely on it to speed up their security testing processes.

So, if you are feeling like you are spending too much time looking for the needle in the haystack instead of actually working on remediating and improving your code, look out for the tools that simplify and speed up the work for you. To learn more about this compelling topic, visit our recent DZone article titled, "How Significantly has Artificial Intelligence Penetrated the Cybersecurity Market?"