Comprehensive software reviews to make better IT decisions
The Rise of AI in Application Security: An Analysis of Qwiet AI's Capabilities and Impact
Qwiet AI is a San Jose, California-based company that develops an AI-powered application security platform. The company's flagship product, preZero, uses machine learning to automate and accelerate application security testing, enabling developers to identify and remediate vulnerabilities early in the software development lifecycle (SDLC). Qwiet AI was founded in 2016 by a team of experienced cybersecurity professionals with a shared vision of empowering developers to build secure software. The company's mission is to "Prevent the Unpreventable" by providing a comprehensive and AI-driven solution that helps organizations of all sizes secure their applications from the very beginning.
I spent an hour with Bruce Snell from Qwiet AI and he shared the company’s history and product strengths and how they are embracing AI to forge an industry-leading roadmap. At the heart of Qwiet AI's application security platform lies its innovative Code Property Graph (CPG) technology. This approach breaks down an application into its constituent components and tracks data flow throughout the system, providing a comprehensive and accurate representation of the application's security posture. Unlike traditional methods that solely rely on library vulnerability lists, Qwiet AI’s CPG accurately identifies reachable vulnerabilities by considering the actual data flow within the application. This granular analysis eliminates false positives and allows developers to focus on truly critical security issues. The CPG technology also contributes to Qwiet AI’s rapid scan times, averaging around 90 seconds. By abstracting the application into a machine-readable format, the platform can efficiently process and analyze large codebases. This speed advantage empowers developers to promptly identify and address vulnerabilities, maintaining a secure software development lifecycle. This technology serves as a cornerstone of Qwiet AI’s application security platform, enabling accurate, efficient, and actionable vulnerability detection.
The CPG provides a structured representation of the application, streamlining the AI's analysis process. This enables the AI to quickly identify potential vulnerabilities in both open-source and proprietary libraries, even those with complex structures or modifications. The AI engine's training data set comprises over 78 billion lines of code analyzed by Qwiet AI’s code analysts. This extensive data enables the AI to accurately identify and prioritize vulnerabilities, reducing the burden on human analysts. For instance, a library that previously took a week to analyze manually can now be scanned and analyzed by the AI engine in just two minutes. This drastic reduction in time significantly improves the efficiency of vulnerability detection and remediation, enabling developers to address issues promptly and maintain a secure software development lifecycle. Qwiet AI’s AI engine transforms vulnerability detection from a time-consuming manual process into a rapid and accurate automated task.
Qwiet AI’s secrets detection capabilities extend beyond mere identification to encompass business logic analysis, providing a more holistic view of potential security risks. By analyzing code from the perspective of business logic flaws, Qwiet AI can identify instances where secrets are being mismanaged, such as when they are not encrypted or logged appropriately. The integration process for secrets detection is straightforward, supporting a variety of repository CI/CD pipelines. Users can easily add applications through the web interface or use the command-line interface for bulk onboarding. Qwiet AI’s rapid scan times, averaging around 90 seconds, enable organizations to seamlessly integrate scans into their development workflows. The scan duration is often shorter than the project compilation time, allowing for frequent and timely vulnerability detection.
In summary, the Qwiet AI platform offers several key benefits to organizations, including:
- Faster and more accurate scan results: preZero's AI capabilities enable it to identify vulnerabilities more efficiently and accurately compared to traditional AST tools.
- Reduced false positives: The CPG technology helps minimize false positives, saving developers time and effort in addressing non-existent issues.
- Continuous security integration: preZero integrates seamlessly into the SDLC, allowing for continuous security monitoring and remediation throughout the development process.
- Improved security posture: By identifying and addressing vulnerabilities early, preZero helps organizations significantly reduce their risk of security breaches and data breaches.
Qwiet AI has received recognition for its innovative approach to application security, including awards from Gartner and DevOpsWorld. The company has also built partnerships with leading cloud providers and security vendors to expand its reach and integrate its platform with various development environments.
Sources:
- Interview with Bruce Snell from Qwiet AI, October 2023
- Preventing the Unpreventable | Qwietᴬᴵ
- Code Property Graph – Preventing the Unpreventable | Qwietᴬᴵ
- AI/ML – Preventing the Unpreventable | Qwietᴬᴵ
- Intelligent SCA – Preventing the Unpreventable | Qwietᴬᴵ
Our Take
Qwiet AI is firmly committed to continuous innovation, consistently enhancing its platform to align with the evolving needs of its customers. The company is actively exploring advancements in AI capabilities to further automate various aspects of application security testing, providing deeper and more comprehensive insights into application security risks. In addition, Qwiet AI is expanding its focus on seamless integration with DevSecOps practices, ensuring that security is embedded into the development process from the very beginning.
Overall, Qwiet AI stands as a rising star in the application security landscape. Its powerful AI-driven platform empowers developers to build secure software with greater efficiency and effectiveness. The company's unwavering commitment to innovation and a customer-centric approach is driving its growth and solidifying its position as a key player in shaping the future of application security.
Want to Know More?
Threat Intelligence & Incident Response