Qwiet AI Raises ‘Volume’ Of Application Vulnerability Fixes

Software has engines. We often talk about the existence of software engines as core components of technology that drive (hence the analogy) substantial elements of the way we might use an application or service. A database engine looks after all the read, write, access and analyze functions needed; a game engine looks after 3D rendering and character movement on screen and much more; a search engine handles – well that one is obvious, right? – and we have data science engines for big data analytics… and so on.

This useful analogy also works in the application security (sometimes known as AppSec) industry, but at a slightly different level that helps us explain how vulnerability detection and remediation is now evolving.

“There are a lot of legacy tools out there and the application security business has for a long time operated somewhat like a car mechanic’s workshop i.e. they like to tell you where your problem is, point out the oil leaks and perhaps wave a finger at your flaky brake pads,” said Stuart McClure, Qwiet AI CEO. “Clearly, it’s more prudent to shore up a car engine before it leaves the factory and perform regular maintenance checks before you consider putting your key in the ignition every day. That same principle holds for software security i.e. if we look at code vulnerabilities before application ‘runtime’ – that point where code actually executes, loads into memory and our apps work – then we can drive forwards more safely.”

Before day zero

McClure’s clarification is made in relation to Qwiet AI’s AI-powered code vulnerability detection platform. Known as preZero, the platform is named to denote its focus on fixing code fragilities ‘before’ the emergence of so-called day zero attacks i.e. when malicious code entities are present in enterprise systems before anyone has learned of the flaw (or started to prepare to mitigate it) and when it can potentially still be exploited.

Pointing to what McClure calls out as the legacy code vulnerability vendors (we don’t need to name names) that have traditionally focused on detecting and responding to threats, vulnerabilities, breaches and attacks, Qwiet AI has sought to go beyond – actually, we should say go before – the approach taken in the past and focus on keeping software application developers in a highly productive ‘flow’ state. In keeping with the spirit of continuous always-on computing, the company has focused on adding capabilities to its platform that will keep developers focused on producing code while reducing time wasted on chasing false positives and low-priority issues.

“To prevent software code and the applications it drives being attacked, you have to understand how that attack happened in the first place – and all attacks come from developers,” advised McClure. “In an era (now) where AI-assisted malware tools exist and the threat landscape is yet again changing, enterprise organizations will need to fight fire with fire and use AI-powered code vulnerability detection to enable remediation at the software code level. Application security is a realm where prevention is feasible, but it’s more than just a question of shift left, we need to shift back to a pre-zero day state.”

This concept of ‘shifting left’ (assuming we write from left to right) is the software industry’s term to describe firms that strategically move towards bringing security earlier into the development process. However, many argue that the challenge lies in the fact that the promise has often outpaced the technology, resulting in many AppSec tools lacking accuracy and speed. McClure and team suggest that these tools produce ‘noisy’ results that disrupt the development process (we get it guys, you called the company Qwiet AI) without significantly enhancing application security.

Previously known as ShiftLeft, Qwiet AI changed its name this year in line with the fact that shifting left has now become a de facto action and a defined piece of terminology (jargon if you wish) in the global technology lexicon. The company itself was founded around a technology known as a code property graph (CPG) that provides unparalleled visibility into scanning code. This patented method approaches code and software analysis differently, offering more comprehensive data flow analysis and critical context than other existing tools – allowing users to see not only vulnerabilities in the code, but also insight into whether it’s reachable and exploitable by a bad actor.

A fundamental unlock

“The true breakthrough came with the recent advancements in AI, driven by sophistication in models, enhanced computing power and a growing pool of talent. This has been a ‘fundamental unlock’ for the industry and for us as a company” said CEO McClure, who was previously both a coder and a technical writer. “By combining our original technology’s data and visibility with over six years and 78 billion lines of analyzed code, we’ve created an application security tool with a custom AI engine that naturally takes advantage of the visibility and insight provided by our patented CPG-based scanning methodology. The impact has been remarkable both in terms of speed (12x faster than legacy tools) and accuracy (80% fewer false positives), freeing engineers, DevOps and security teams from the ‘time suck’ of chasing vulnerabilities that are either unreachable or false positives.”

There’s a lot of quiet confidence around (pun not intended and apologized for) if you listen to the Qwiet AI team. They suggest that the ‘entire security industry could be put out of business if everyone used these tools’ and that we’re now at a point where the IT industry has the technological capability to ‘vaccinate companies against cyberattacks’ through securing applications before they’re released.

Progressing preZero

Like any enterprise software vendor worth its salt, Qwiet AI has spent this year finessing, augmenting and extending its core technology platform and expanding the scope of its services. The preZero User Interface & User eXperience (UI/UX) layer has been enhanced to deliver views tuned to specific use cases and allows quick navigation to the material that matters most to a specific user be it a developer, security professional or executive leadership.

“Most software tools in this sector focus on the software engineering (programmer/developer) team and their operations counterparts who are focused on managing Continous Integration (CI) pipelines etc. or, alternatively, they are focused on the cybersecurity management team – our platform has been designed and built to focus on both,” said Chris Hatter, Qwiet AI chief information security officer (CISO). “We want both teams to be working together in unison so we can validate the term AppSec as a unified entity; this is why we have extended our (UI/UX) to serve what I would call ‘both personas’ across developer & cyber teams. Additionally, we want the cyber team to be able to understand macro-organizational issues by business unit, so there’s more than one epiphany moment happening here.”

Among the platform’s other features are its Software Bill Of Materials (SBOM) export functions. These allow customers to export findings following the White House Cybersecurity Directive of 2021 intended to help reduce security issues around the software supply chain. New software language support has also been added this year, but let’s leave the details there to the engineers.

Qwiet button increases volume

To come full circle then and attempt to justify the title headline on this discussion, the Quiet AI screen interface offers a Qwiet Button. This is a function designed to reduce the ‘noise’ stemming from system scans that might highlight the presence of hundreds of present vulnerabilities in a typical enterprise software stack. It activates several key filters including vulnerability criticality, reachability and exploitability to display those vulnerabilities that are most urgent and in need of remediation allowing developers to focus on what matters most.

Imagine a system scan for a US-based retail manufacturing business with two warehouses, 18 stores and a corporate headquarters with satellite offices in Europe.

An initial report details 286 software code vulnerabilities and the cybersecurity team takes one look and realizes it is drinking from a firehose. An initial filter can be applied in Qwiet AI to reduce that number and only display those vulnerabilities that are of high severity – an action that might take the figure down to 128 – so things start to look more manageable. A second filter to highlight only those vulnerabilities that are reachable (where a data channel conduit or connection exists, perhaps through an Application Programming Interface – API for example), which sees the total figure reduced to let’s say 76. A third filter is then applied to display only those vulnerabilities that (as per knowledge shared on developer networks and portals) are being actively exploited, which sees the vulnerabilities total reduced to 34.

From insurmountable to manageable

With the difference between a seemingly insurmountable 286 and a more manageable 34 being fairly obvious, the opportunity to eradicate all the noise and focus on what CISO Hatter calls, the ‘issues that really matter and are most impactful to the business’ is an appealing option – and this is what one click of the Qwiet Button provides.

“At this lower level [in our example 34], we can then put these vulnerability fixes directly into the software engineering team’s development workflow,” explained Hatter. “These remediation actions are integrated into the developer workflow so that they exist in the team’s project management tool – such as Jira – so that action can be taken immediately where it matters most.”

The evolution happening here is fascinating to watch and what questions it throws up next will be (arguably) well worth tracking. With some much operational software code out there running without requisite levels of vulnerability assessment, perhaps some teams might not want to hear the cacophony of the initial code audits in the first place. For those that would prefer to say blind – or in this case deaf – to reality, the promise of the quiet life may never happen.

Qwiet AI gives away free earplugs (not a joke) for those who can’t cope, software-based solutions are sure to be a more hygenic route.