Since the release of ChatGPT, people have asked us how Security Compass will embrace Generative AI and, more broadly, how application security will change as a result.
We are well into the journey of helping our customers build more secure applications leveraging generative AI, including new AI content in SD Elements and SD Blueprint and a Kontra course on OWASP Top 10 for LLM. This blog post will cover upcoming capabilities we will release that leverage LLMs.
Navigator
The field of Generative AI has evolved rapidly since, and the possibilities about what we can do today and what we might be able to do tomorrow have changed with it. Much discussion has revolved around the potential for LLMs to create vulnerable code since they are often trained on open-source code containing vulnerabilities. Applications represent a major attack vector. However, application security and development teams are constrained by the accelerated pace and frequency with which they release software across diverse environments. This leaves them with limited time to implement the necessary security measures to meet business deadlines. With Navigator, our goal is to make it easier for organizations to build applications that are secure and compliant by design at scale without compromising the speed of delivery.
At Security Compass, we have amassed the world’s largest knowledge bases of expert curated secure coding practices in our content library. This library is not a simple collection of articles from the Internet. Our internal research teams, along with third-party experts in specific technical domains, curate, edit, and categorize software weaknesses, threats, countermeasures/controls, code samples, Just In Time Training videos, and regulatory mappings. Combined with our extensive application security training catalog and hands-on Kontra labs, our over 13,000 content items for secure and compliant coding practices are unrivaled. Moreover, we regularly receive feedback about the real-world applicability of content from end users, resulting in a feedback loop that allows us to further refine content effectiveness. The end result is data that, combined with the strengths of current LLMs, can bring significant benefits to our users.
Navigator is the first feature we are shipping in beta in July. It follows our strategic theme of Intelligent Content, which provides the following benefits to end users:
- Context-specific guidance: Security by Design tools have generalized content designed to work in many contexts and environments. However, sometimes, the general content misses the details necessary to help users answer in specific contexts. With Navigator, users can ask in-depth questions and get contextual answers pertaining to threats, weaknesses, countermeasures, implementation guidance, how-tos, regulations, and survey answers specific to their project. Instead of having access to a countermeasure like “T8: Use Consistent Error Handling for All Authentication Failures”, users can ask clarifying questions like “How can I implement T8 in my Ruby on Rails application?”.
- Cover new technologies and standards: Even though SD Elements has the world’s largest secure coding knowledge base, there are cases where users need to ask questions about technologies or compliance requirements not covered out of the box. For example, “How can I salt and hash stored passwords in Rust?” or “How does China’s Cybersecurity law relate back to SD Elements countermeasures?” Navigator will dynamically provide responses trained on the SD Elements knowledgebase.
- Translate to different languages: Using Navigator, users can translate content into different written languages. For example, “Translate T15 into Spanish”
- Ask questions about SD Elements: Users can quickly find answers to questions about SD Elements, such as “What’s the relationship between the countermeasure risk rating and the weakness priority?”
We expect to uncover many more exciting use cases of Navigator as we enter the beta and hear from our users. If you are interested in participating in this beta, please contact [email protected] for more information.
Threat Model with Anything
According to our primary research in The State of Security by Design and Threat Modeling in 2024, scalability and resource constraints are the 2nd and 3rd most common challenges with threat modeling. Using SD Elements or SD Blueprint is one of the fastest methods to ensure Security by Design, reducing the time to perform security activities by 90%+. However, we recognize that there is even more room to speed up the activity.
That’s part of the motivation for releasing the ability to scan GitHub repos to model applications in our 2024.2, which complements the custom modeling automation our most sophisticated enterprise customers have used for years.
Imagine, however, taking any image or document you have to describe a system—from requirement specifications to architecture diagrams to readme files—and having the system automatically create a relevant system model, threat model, and corresponding security requirements. This is the vision of what we call “Threat Model with Anything,” and we are making fundamental advances toward that vision in 2024.
Importing Any Image
Many organizations use diagrams or visualization tools to represent threat models, from diagrams on whiteboards to Visio, Lucid Chart, PowerPoint, etc. Organizations often ask, “Could we use the diagrams we already have to drive Security by Design in SD Elements and SD Blueprint?” Our team has begun work on a feature that leverages advances in AI to recognize any threat model image and convert it into an SD Elements and SD Blueprint diagram.
Importing Any Image Prototype Product Tour
We expect to release this functionality in beta to customers who opt-in within the next four months. We will work closely with beta customers to determine any inaccuracies and improve the models before promoting the capability into general availability, which customers may opt-out of. If you are interested in participating in this beta, please contact [email protected] for more information. This is an excellent opportunity for early adopters to experience the benefits of importing any image and help shape its future development.
Importing Any Text or Document
Advances in foundational Large Language Models (LLMs) have also improved the ability to recognize text and make meaningful assumptions. Our next advance will allow users to take unstructured text as well as some text-based files, interpret them, and use them to answer questions in an SD Elements project automatically:
Users will have a new option to import files that describe technical design or business context.
We want to make it easy to integrate with existing tools and automate via APIs
We are training AI models to automatically populate surveys or generate diagrams
Turn your design documents into threat models that identify critical security requirements
We expect to release this functionality in beta to customers who opt-in by early 2025. Just like the ability to import images, we will work closely with beta customers to identify and fix inaccuracies before general availability release. Ultimately, we expect to leverage the same underlying capabilities to be able to understand source code or any text-based document to more accurately model a system.
Future Direction
Software written in natural language is the evolution of coding – just as compiled and interpreted programming languages are converted into assembly code, we are quickly transitioning into a world where software is expressed in natural language that is subsequently converted into code. In this world, we believe people will need solutions like SD Elements and SD Blueprint that express security and compliance requirements in natural language to ensure their systems are secure and compliant with sufficient audit evidence to meet emerging regulatory and liability requirements.
There are two other themes for our long-term product evolution that will leverage advances in Generative AI:
- Intelligent Content: Leveraging our extensive knowledge base will allow us to solve the problem of “generic” requirements, ensuring they are context-specific for their particular application and code base. Navigator is a first step in this direction. Moreover, it will help us solve one of the key challenges organizations have – translating their own broadly written corporate standards into the kind of specific, actionable content for development teams that SD Elements and SD Blueprint offer out of the box. We’ve already begun to make some in-roads in this area with our research team behind the scenes.
- Close the Loop: Today, SAST, DAST, and SCA tools generally run entirely independently of threat models. They may be missing the assessment of critical security and compliance risks. Imagine a world where your security and compliance requirements feed into an assessment engine, and that engine validates the implementation of the requirements. Instead of relying solely on “clean” scan results to ensure an application is secure, you have the assurance that your system was assessed for all the relevant security and compliance risks. Even if the implementation is imperfect, it would be a significant improvement to the status quo. This vision we call “Close the Loop,” and we believe it is one of the most exciting capabilities to come. Early experiments of using LLMs for security scanning show promise. As LLMs and security scanners that leverage LLMs improve, we will tightly integrate with these tools and envision launching scans directly from SD Elements. Coupled with “Threat Model with Anything,” this will allow for true end-to-end automated application security.
Learn More
Contact us today to learn about our latest advancements and how they can benefit your organization. If you are interested in participating in this beta, please contact [email protected] for more information.
Visit Security Compass to get in touch and discover more about our cutting-edge solutions.