kras99 - stock.adobe.com

Security AI shifts left into DevSecOps

DevSecOps vendors such as GitLab and Palo Alto's Prisma Cloud embrace security AI throughout the software development lifecycle, as IT trust in AI grows.

DevSecOps tools such as GitLab's One DevOps Platform plan to inject AI into developer workflows to shore up secure coding, a shift IT pros and analysts say is timely as security AI becomes more popular.

In IT and security operations, AIOps tools can reduce the number of alerts IT pros must respond to or narrow down the root cause of incidents as distributed cloud-native infrastructure grows more and more complex. The same kind of overload that's led IT ops teams to embrace artificial intelligence and machine learning has creeped into the developer side of the DevSecOps model as well, according to IT analysts.

"Cloud services and modern software development processes, such as microservices application architectures, create a much greater scale of software releases and attack exposures," said Melinda Marks, an analyst at Enterprise Strategy Group, a division of TechTarget. "That, coupled with the cybersecurity skills gap, means that they are looking for ways to reduce tedious, manual tasks to work more efficiently and reduce staff burnout."

The movement to shift security left into DevOps workflows is bringing along applications for AI assistance as well, from vendors such as Palo Alto Networks' Prisma Cloud and GitLab.

For example, Prisma Cloud's DevSecOps tools include support for AI-driven bot comments on code pull requests that act as automated peer reviewers. It also offers fix suggestions for infrastructure-as-code security vulnerabilities, called Smart Fixes.

GitLab also added an AI tool for identifying human peer reviewers with its acquisition of UnReview in 2021. Its product roadmap, newly focused around security and governance, contains more plans for AI-driven automation on the development side of DevSecOps.

[We] talk about machine learning to help [developers] write code and as part of code review ... but we're not stopping there. [Incident response] needs to be much closer to the developer.
David DeSantoVice president of product, GitLab

"The next thing we want to focus on is intelligent code security. Imagine a spell checker within the Web IDE," said David DeSanto, vice president of product at GitLab. "[If] a developer's writing an insecure line of code, it gets flagged, and they can just click fix."

GitLab has also automated fixes for software vulnerabilities as part of its software composition analysis. The company is working on shifting observability left as well, including the automatic creation of incidents that tie in the right developer teams, DeSanto said.

"[We] talk about machine learning to help [developers] write code and as part of code review ... but we're not stopping there. [Incident response] needs to be much closer to the developer," DeSanto said.

XSIAM, a new Palo Alto Cortex security AI tool for production incident response released last month, is primarily focused on SecOps. But it can kick off Prisma Cloud DevSecOps workflows via REST APIs if users choose to link them that way, according to a Prisma Cloud spokesperson.

Security AI earns IT pros' trust

It took time for AIOps tools, which saw a big wave of market hype in 2018 and 2019, to earn the trust of IT practitioners -- and their initial mistrust wasn't misplaced, according to Marks.

"There was a period where everyone was saying they did machine learning or AI, but many [tools] didn't work. Or in some cases, users would enable the automation AI and it would not catch things, or it would block actions, slowing things down and requiring more work," she said. "Vendors are more careful now in how they read these terms [and] the technology is improving."

AI-driven automation has found a home in some DevOps platforms for alert reduction and root-cause analysis, with some IT pros in the early phases of using it to automate remediation of incidents. Security AI has also caught on with the rise of API security tools, along with security orchestration and response (SOAR) and extended detection and response products.

"The concept of using SOAR techniques, or automated playbooks, for known repeatable security operations responses is fairly accepted. In some cases, products are replacing ad hoc scripts SOC folks have already put together," said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global.

In a 2021 S&P Global Market Intelligence survey of 524 respondents, 91% viewed the integration machine learning techniques as important when selecting a security operations platform, with 51% of those saying it was an important factor.

Security AI on the developer side is more nascent. Some AI pair programming tools, such as GitHub Copilot, have run into licensing and security vulnerability snags. But other tools, such as API security tools that build in automated shield right features, are gaining acceptance among developers. DevSecOps pros say they're prepared to give AI assistance in developer workflows a chance.

Aradhna ChetalAradhna Chetal, TIAA

"AI automation will be very helpful, especially if there's anything malicious going on in a repository [or] if there's a bad actor in there," said Aradhna Chetal, managing director of cloud security at financial services company TIAA, which uses GitLab's platform.

Not all workloads would be suitable for auto-remediation. But AI-driven alerts and prioritization could be just as helpful to DevSecOps teams in those instances, Chetal said.

DevSecOps security AI puts SIEM in the crosshairs

There may be growing pains for security AI on the developer side as it matures. But there's potentially a compelling reason for DevOps platform teams to look for security AI from DevSecOps tools, such as GitLab and Prisma Cloud, according to analysts -- their ability to take in a broad array of data that covers the whole software delivery toolchain.

This might lead to more useful insights through AI analysis than users might get through specialized security information and event management (SIEM) tools alone, according to Marks.

"Both [Prisma Cloud and GitLab] are really taking aim at the inefficiency of using SIEM," she said. "GitLab is taking the approach [of offering] a single source of truth where you can easily insert security for DevSecOps, set policies and do vulnerability scanning. [That] can reduce work and streamline processes across groups."

It's unlikely DevSecOps tools will replace SIEM tools. But broader access to different types of data may also yield more interesting results from AI, said Jim Mercer, an analyst at IDC.

"Too many vendor tools are focused solely on one product or specific domain data to train models. But the DevOps and DevSecOps tool stacks are more complex and have cross dependencies," he said. "To gain insights into where the real challenges and opportunities live, you need an AI model that is looking across all the aspects of the delivery pipeline. Otherwise, your findings may be a bit shortsighted."

Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Next Steps

Meet MLSecOps: industry calls for new measures to secure AI

Dig Deeper on DevOps