Glossary

What is AI Security, and How Does AI Work to Enhance Application Security?

Summary

“AI tools support developers in achieving velocity and reducing manual effort — but they also open the business up to risk. Checkmarx uses AI to prevent this risk and accelerate AppSec with AI security across areas such as SAST, secrets management, guided and auto-remediation, and more. ”

AI security for application security is an essential topic for today’s AppSec leaders, recognizing both the opportunities available by leveraging AI security tools as part of a comprehensive application security platform, as well as the inherent risks that ungoverned and unmanaged use of AI can open the business to. 

This guide will take a deep look at AI security, meaning the improvements AI generates in application security, the risks and best practices you may not be aware of, and how AI works to enhance AppSec as a whole. 

What is AI Security? 

Let’s start with an AI security definition to better understand what we mean when we talk about AI security solutions and AI security risks. 

AI has taken a huge leap over the past decade, and generative AI in particular is on everyone’s mind at the moment. These AI advancements have impacted every industry, and cybersecurity is no different. AI security is the way we discuss this phenomenon, whether we are focusing on AI security opportunities such as new tools and features that leverage AI, or AI security limitations — such as the ways that attackers are taking advantage of AI to launch sophisticated or never-before-seen threats.  

What Improvements does AI Generate in Security?

Let’s start with the good news. AI is changing cybersecurity for the better. AI is already widely being used for threat detection and predictive analytics of emerging threats for example, or for parsing huge volumes of data to uncover activity patterns that are anomalous or suggest malicious intent. AI tools have also been developed to build and validate mitigation strategies, and automate previously manual cybersecurity tasks such as aggregating data, sorting and prioritizing alerts, and building workflows that take the weight of human security analysts and SOC teams. 

What Risks are Opened up by AI in Security? 

Going deeper, what if we turn our attention to AI security in AppSec? The vast majority of developers are already using Gen AI to write code, and 42% of those developers say that they trust the output of the LLMs that they use. However, Stanford research has found that those with access to an AI assistant write significantly less secure code than those without, and worse — they are more likely to believe they are writing code that contains fewer vulnerabilities. While it’s true that AI-based code generation simplifies developers’ workload, whether it’s writing the code from scratch, or providing feedback during the Software Development Lifecycle (SLDC) to improve code or help troubleshoot issues, it should be used with caution and guardrails, as it’s not without risk. The data from Stanford confirmed that the more trust participants placed in the AI — the more vulnerabilities their code contained. 

The OWASP Top 10 for LLMs covers the risks in detail, including: 

  • Prompt injection: If threat actors access an LLM through jailbreaking or accepting input from an attacker-controlled source, it can be manipulated to execute malicious intentions. 
  • Insecure output handling: Malicious content can be injected before the information is passed to the developer, leading to Remote Code Execution or privilege escalation. 
  • Poisoning of training data: Manipulating the original training data can mean the model itself is compromised to surface inaccurate or dangerous information to the users. 
  • Denial of Service attacks: LLMs are vulnerable to DDoS attacks the same way as any other target. If an attacker consumes enough resources, service quality can be degraded or costs can spiral. 
  • Supply chain attacks: Developers can easily rely on third party downloads or packages, which may be vulnerable, outdated, deprecated, or even poisoned by a third party contributor. 
  • Disclosure of sensitive information: Without data sanitization, any input can be used to train a model further. Additionally, LLMs can disclose sensitive information such as intellectual property or algorithms unintentionally. 
  • Insecure plugin design: Threat actors can create malicious requests including exfiltrating data or remote code execution, and push it through the use of a plugin used by any model. 
  • Excessive agency: LLMs may have access to plugins with too much functionality, hold the same identity as a privileged account with too many permissions, or be able to act with autonomy without human verification. 
  • Overreliance: Developers will get to know the LLMs they like to use and which have performed well. This can lead to overreliance and a failure to check for hallucinations or to validate outputs. 
  • Model theft: In some cases, attackers can steal and manipulate genuine LLMs, creating a shadow model, stealing the data the LLM holds, or fooling its users into inputting their own data. 

At Checkmarx, we have already seen attackers modify their attack methods in line with the growing use of LLMs, taking advantage of the change in developer behaviors and their reliance on Gen AI. For example, threat actors can find package suggestions that are hallucinations, and create a malicious package with that same name, or add malicious packets to a model that is publicly available on a community forum — reuploading it and waiting for an unsuspecting user to inject infected code into their system unawares. 

AI Security Best Practices

Before we look at AI security tools that can mitigate these risks, there are some general best practices that all organizations should be aware of when working with AI and LLMs. 

  1. Ask the right questions: Every LLM or AI-based tool will open your business up to a certain amount of risk. It’s up to you to understand that risk. Look at details such as whether the LLM is connected to public data, what community it came from, and whether you have provided developers with tools to scan for vulnerabilities in their flow of work. 
  2. Support developers with their work: Developers want to move fast, and security cannot feel like a hurdle — or team members may skip essential steps and processes. Make sure you have visibility into all AI tools and LLMs being used in your organization, and offer solutions to development teams that allow them to continue in their flow of work, using the tools and processes they are used to — while stepping up risk reduction. 
  3. Ensure human oversight: AI is an incredible tool to augment staff and help them to be more productive, but it’s not a replacement for human validation. Wherever you use AI in the SLDC, ensure you have skilled professionals checking the results and remediations, and never give AI autonomy to make decisions without human input and support. 

[GUIDE] 7 Steps to Safely Use Generative AI in Application Security

Want to use GenAI Safely in Application Security? Download this exclusive report now and learn how to stay safe while implementing AI – in just 7 steps.

Get the Report

How Does AI Work to Enhance AppSec?

With these best practices in mind, how can we use AI to enable AppSec, rather than increase risk? After all, development velocity is an important differentiator for any business, and it’s important that developers can continue to leverage AI tools — just with governance and control in place to mitigate the risk factors. 

Luckily, AI opens as many opportunities as it does risks — if not more. When organizations can implement the right AI security tools in the right way, they can safeguard the way that developers work so that they can enable the power of LLMs, while minimizing risk. 

At Checkmarx, we use AI security tools to improve AppSec teams’ ability to perform a wide range of security tasks, including: 

  • Code scanning
  • Composition analysis
  • Remediation
  • Risk reduction
  • Secrets management

AI Security Tools for SAST 

As part of Checkmarx One, Static application security testing (SAST) allows development and AppSec teams to find and mitigate vulnerabilities in source code as early as possible in the SLDC. Checkmarx’ AI Security Champion uses the power of artificial intelligence to scan applications faster and with greater accuracy than the traditional approach to SAST — which relies on preset queries and manual rulesets alone.  

Instead, development teams can use AI to analyze data flows to find patterns and structures that could signify a vulnerability, and know that the AI is learning over time to become even more accurate and helpful to their teams. Checkmarx’ AI Security Champion scans for issues in the application, and even includes auto-remediation — providing the exact code that can be used in the development workflow to fix the issue ahead of time. This is given to developers alongside a Confidence Score between zero and 100 which points to how exploitable the issue is in the context of the business, helping with prioritization, a pressing challenge with today’s deluge of alerts. Developers simply add the human touch — reviewing and implementing the fix without needing to escalate the issue to AppSec teams. 

Another way that AI algorithms can integrate into SAST for better results is Checkmarx’ AI Query Builder.

Traditionally, queries are created manually or come as presets optimized for specific applications or compliance requirements — able to be customized on demand.

This functionality is important, but AI can take query creation up a notch. Even those without technical knowledge or expertise in a specific programming language can use AI Query Builder for SAST to write custom queries or to modify existing ones, fine tuning their queries to increase accuracy and decrease false positives or negatives over time. 

As AI security tools test code faster than manual testing, they accelerate risk reduction, reduce costs, increase developer productivity, and make the whole process of SAST more efficient from end-to-end. 

Checkmarx AI Security Solutions 

As well as AI for SAST, Checkmarx One includes a wide range of application security capabilities that leverage AI to reduce risk while accelerating AppSec processes. Here are a few of the most powerful: 

AI Security Tools for Software Composition Analysis

Think about how Software Composition Analysis (SCA) scans open-source components to find vulnerabilities and reduce risk, and you’ll begin to understand how our Checkmarx GPT feature works for developers leveraging LLMs such as ChatGPT and Copilot. Checkmarx GPT provides real-time scanning of all code generated by GitHub Copilot within the IDE, validating the safety of all generated code, and checking for any known vulnerabilities. The tool can also suggest packages which present the least risk, and share open-source licenses and additional information which may be of use. 

AI Security Solutions for Guided and Auto Remediation

Checkmarx One also includes AI Guided Remediation for IaC security and KICS, as well as the auto-remediation for SAST we discussed above. Guided remediation empowers developers to fix any misconfigurations found in their Infrastructure as Code (IaC), providing the remediation advice directly within the IDE, supporting developers in their flow of work. Developers simply follow the AI tool step by step to remediate the issue, asking their own questions, or learning as they work with common questions provided in the console. Once the misconfiguration is fixed, developers can rescan immediately — validating that the risk has been resolved. 

AI Security Options for Secrets Management

Many of the OWASP Top 10 for LLMs are related to unintentional or malicious data leakage, or the inability to protect confidential information and secrets. Our partnership with Prompt Security offers AppSec teams browser and IDE extensions which can automatically recognize secrets and code when developers use a GenAI platform or a collaboration application. Prompt Security then obfuscates the secrets, ensuring that credentials, IP, or any other sensitive or proprietary information is not shared. 

Checkmarx One: Enhancing AI Security for AppSec Teams

The growth of AI is a huge opportunity for today’s businesses, and developers are already leveraging the power of LLMs to write code, troubleshoot, and fine-tune their applications. With AI security solutions in place, AppSec teams can champion the use of LLMs for velocity and innovation, knowing that AI is also working behind the scenes to ensure any risks are surfaced as they occur. 

With Checkmarx One, all our AI security tools are packaged in a single application security platform. Developers have all the tools they need to uncover vulnerabilities and fix them alongside their regular flow of work, and security teams can rest easy with full visibility, knowing they are protected against a new generation of attacks. 

Looking to accelerate AI security for AppSec, and secure your developer environment against GenAI-related threats? Schedule a demo of our AI-based application security tools. 

Table of Contents