Over the past 20 years we have seen application security evolve from analysing application code through Static Application Security Testing tools, to detecting vulnerabilities in running applications via Dynamic Application Security Testing tools. The past 10 years have seen new flavours of tools: Software Composition Analysis, Web Application Firewalls, and Runtime Application Self Protection.
The past 10 years has also seen an increase in the uptake of the DevOps model that combines software development and operations. Several tools have been developed that make use of machine learning to help developers make quality decisions about their code, tests, or runtime overhead their code produces. However, little has been done to address application security.
This talk focuses on a vision for Intelligent Application Security in the context of the DevSecOps model, where security is integrated into DevOps, by informing program analysis with learning techniques including program synthesis, and keeping track of a knowledge base.
What is Intelligent Application Security?
Intelligent Application Security aims to provide an automated approach to integrate security into all aspects of application development and operation, at scale, using learning techniques that incorporate signals from the code and beyond, to provide actionable intelligence to developers, security analysts, operations staff, and autonomous systems.