AI is creating the next-gen of appsec companies
AI will make appsec more efficient and require less specialization
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m excited to announce that Susan Chiang is joining as our CISO at Headway! Her resume speaks for itself. I’ve known Susan for several years, and she brings a wealth of relevant security experience to our company at a critical time. I’m excited to partner with her!
If you want to join us and help us securely create a mental healthcare system that everyone can access, please contact me or apply on our website!
I’ve seen news about the “big 3” public application security companies. An activist investing is trying to sell Rapid7. Tenable is looking to go private. Qualys is reinventing itself — it’s focusing on attack surface management and cloud security. In my mind, these were the legacy application security companies. They have become less relevant as more companies have moved toward the cloud and agile. This has made it easy for companies like Snyk and Semgrep to fundamentally change the way that application security is done.
These changes with the “big 3” also show that we are fully exiting a phase in application security. This new phase will have developer-focused security tools like Snyk and Semgrep be the contenders rather than the disruptors as they become mainstream with increased adoption. So, what will the next generation of disruptors look like?
I believe that recent advancements in AI will find its strongest initial adoption in application security. This is likely contrary to the popular thought in security where they think it will find strong adoption in operationally intensive tasks, such as incident response and authentication threats. Although that may happen, these tasks already use a fair amount of machine learning and AI, so the recent advancements in LLMs will likely not make as material of a difference.
Before the recent surge in LLMs and genAI, I wrote about how appsec is dead and how reality has changed for appsec companies. It’s increasingly hard to build a valuable appsec company. It’s likely that most customers will get less value out of their current appsec tools and will continue to reduce their usage, and as a result, pay less. In other words, the market share and total addressable market are shrinking.
This doesn’t mean that the problems in appsec are solved or even easier to solve. It just means that the available tools aren’t built to solve a company’s current needs. If anything, appsec is becoming more important given the growth in supply chain attacks and usage of cloud-based applications. Applications are getting more complex, which also makes it hard for appsec tools to detect issues in a precise manner — having too many false negatives or positives creates too much operational work for teams and makes the tool not valuable because it creates more work than it’s worth. In short, application security tools haven’t been able to keep up with the pace of change in software and application development.
As a result, there’s been a heavier reliance on software engineers and/or application security engineers to pick up the increasing gaps that tooling hasn’t been able to fill. This is costly to the company. Either, software engineers, who aren’t experts in application security, have to spend time working on security, which is inefficient, or the company has to hire application security engineers, which are expensive and hard to find. I talk more about how application security tools can find a way forward using AI as a potential labor arbitrage.
I was pretty vague about what the labor arbitrage entails or what it would look like. I mainly said it wouldn’t eliminate security jobs. However, it’s becoming increasingly clear from chatting with other security professionals that eliminating security jobs isn’t a concern. There’s already a shortage of cybersecurity and application security talent, i.e. the demand for appsec experts is outpacing the ability to train and fill that workforce. Unless something drastically changes, additional training won’t help alleviate this problem, at least in the short or medium term, because it requires this additional training to both backfill the previous demand and meet the current demand. As a result, we have to accept this reality, and this reality necessitates a new generation of application security tools to fill the gap. I believe that AI will be a key part of that.
Why would AI and LLMs make a difference?
LLMs are especially good at reading text and making sense of them. Code is just that, well-structured text that fulfills a task. GitHub CoPilot and other genAI coding have been popular among developers. Although it’s not clear how much they will improve developer productivity, they have been useful in reducing menial tasks, such as writing “routine” code for well-defined tasks.
My theory is that code is a well-structured language that has low variations, i.e. there are a limited set of ways to accomplish a task. Usually, it’s fine to just repeat the same code over and over again. This is why open-source libraries are popular — there’s no reason to write a function from scratch if someone else is going to write it and maintain it.
I do believe the models will likely improve faster than our ability to use them effectively, which is good. As a result, I asked in my article, “Appsec is dead!” the following:
Any imminent changes that will create the need for a next-gen appsec tool?
Nothing is creating a need other than the fact that appsec tools are becoming less effective. In fact, AI and LLMs are opening up the opportunity to create a next-gen appsec tool.
What does this mean for appsec?
We are already seeing a new influx of appsec tools that use AI and LLMs, especially around vulnerability management and security reviews. However, these all seem somewhat nascent and incremental. That’s not surprising. Given the competitiveness in security, starting with one product and building the platform from there is the best strategy. I won’t be surprised if we see more companies tackling this problem from different angles.
Current tools like Semgrep are using AI to supplement their current offering and provide more guidance on how to fix problems in code. This is an interesting approach, but I do think they can do more. Semgrep specifically has a good position around allowing more development-focused security engineers or even software developers to do appsec effectively. To stay competitive, Snyk will also have to figure out their strategy soon.
What will a good company look like in this space?
This is the ultimate question, but I have no idea honestly. I know what a good product will achieve, but I have no idea what the product would look like.
A good product will achieve at least one of these two goals. First, it can delay a company’s need to hire an appsec engineer. This is similar to how nowadays we don’t need to hire datacenter engineers, operating system engineers, or language-specific engineers until scale. This can save the company a lot of money on both recruiting and operational costs. Second, it allows a company to have fewer appsec engineers because the tools allow them to be more efficient or have less work overall.
In other words, the tools have to allow non-specialists, such as general software engineers or other security engineers, to do “good enough” appsec work. Another way is to make appsec engineers more efficient. I do think the former is probably a better path and more compelling for a company because it can eliminate the need for a specialized function until much later, which has a stronger value proposition for spending large amounts of money on a tool.
The main challenge is building a good product. I do think currently, there are some technical challenges to be overcome, but this will become less of an issue as these models improve. For the first time in the past decade, I am feeling bullish about appsec. The whole sector is long overdue for a refresh!