New from Apiiro: Detect and Address AppSec Risks with Apiiro Native LLM Models Before Code is Even Written

A Better Way to “Shift Left” Application Security

Traditional approaches to security in software development typically address security risks only after development has started, or even post-deployment, leading to costly fixes and potential security breaches.

The modern DevSecOps approach aims to integrate security early in the software development lifecycle (SDLC). However, even this “shift left” approach has struggled to identify security risks in the pre-development phase, as there’s often nothing concrete for SecOps to assess when new features are still being conceptualized. Until now. 

Recognizing the importance of early risk-identification, we are excited to introduce our latest addition to the AppSec expert’s toolbox: Risk Detection at Design Phase by Apiiro. This first-of-its-kind feature shifts risk detection further “left” than ever before – embedding security considerations from the conceptual stages of software projects, before a single line of code is written. Built on Apiiro’s native private LLM, this feature analyzes tickets within our customers’ IT work management systems to identify potential risks, ensuring that security is a foundational element of their design process. 

In this post, we’ll dig into the benefits, methodology, and safety of this latest innovation from Apiiro. Read on to learn how Risk Detection at Design identifies and mitigates security risks in the design phase of development – before developers spend a single minute writing new code.

The Importance of Early Risk Detection

Traditionally, security was an afterthought during software development. The Secure by Design (SbD) framework amends that approach by building security and risk management into every phase of the development process, starting during initial design. Detecting risks early at the design phase is crucial, and empowers teams to proactively mitigate security concerns before they manifest in the codebase. This not only reduces the likelihood and impact of risks arising later, but also optimizes resource allocation by avoiding rework and delays associated with late-stage security fixes. Risk Detection at Design Phase was conceptualized and built according to the principles of SbD, aiming to address potential risks at the outset of development. 

View and Manage Risks with Apiiro

Let’s imagine you are an application security engineer at an enterprise data management firm. The development team is tasked with integrating a new 3rd party service; a chatbot that provides first touchpoint clienteling to website visitors. How do you go about ensuring the new additions to the codebase for this feature update don’t introduce application security risks?

Step 1: Connect Apiiro to Your Organization’s Ticketing System

The first step is integrating your organization’s work management system with Apiiro. The Apiiro platform seamlessly connects with popular ticketing systems, such as Jira, GitHub and Azure DevOps, to automatically pull the relevant tickets and issues.

Step 2: Link a Ticket to Code

At this stage, the ticket is directly linked by Apiiro to the associated application or code component – such as repository, PR, or branch, providing additional context about the ticket.

Step 3: Analyze Findings

Once integrated, Apiiro utilizes advanced native AI algorithms, Large Language Models (LLMs), and cutting-edge technologies to analyze tickets, their context, and their content, and identify potential security concerns. Apiiro analyzes the design request and determines if and where it might introduce a security risk during deployment. This process also leverages the context derived from the code component, product or application associated with the proposed design. 

When a risky ticket is identified, Apiiro automatically classifies the risk into a distinct risk category, such as generative AI technology usage, sensitive data handling, user permissions and access management, and more. By categorizing risks, Apiiro helps ensure that the appropriate mitigation strategies are applied, enabling effective risk management and decision-making.

For each detected risk, Apiiro also generates comprehensive risk explanations in natural language as evidence for why the ticket has been flagged as risky, enabling users to triage and understand the specific security implications and the reasoning behind the risk.

Step 4: Remediate Risks

To better understand the nature of the risk and streamline the remediation process, Apiiro generates threat modeling stories and security review questions tailored to the specific security concerns identified in the ticket and the associated repository, application or product. These remediation suggestions save AppSec experts time and effort in identifying ways to modify the ticket requirements, and help ensure that all security measures are taken into consideration pre-development.

Apiiro also generates a list of recommended contacts for the remediation process, based on the relevant ticket and the associated applications or code components.

Customize Your Own Risk Policies with the Risk Graph Explorer

Customers can leverage the Risk Graph Explorer to define and create customized risk policies. These custom policies streamline the risk management process and ensure that you can focus on the most relevant risks.

The policies can be based on a variety of attributes and properties – of the ticket, the project, and the associated application or repository, For example:

1. Minimize irrelevant alerts by focusing only on tickets about sensitive data handling in applications that shouldn’t handle such data.
2. Focus on impactful risks by prioritizing insecure architecture design associated only with High Business Impact or user-facing applications.
3. Prioritize risks associated with Generative AI technology usage in applications that contain PII or other sensitive data.

Enhance the Risk Analysis Process by Mapping Tickets to Code

Apiiro enhances the context of identified risks by mapping them to specific code entities, such as commits, repositories, branches, and pull requests. This provides a deeper insight into how potential security issues in design might manifest in the actual codebase. Through this mapping process, AppSec practitioners experience the following benefits:

1. Faster Root Cause Analysis: By connecting tickets to material changes or newly identified risks, trace security concerns back to specific feature requests or design decisions, and facilitate effective risk mitigation from the source.
2. Enhanced Visibility and Risks Prioritization: Gain a clear view of where potential issues may arise, and what products or services they might affect.
3. Comprehensive Security Coverage: Ensure that all repositories and branches associated with risky tickets are actively monitored and protected by security tools.

Tackle Application Risk Without Sacrificing Data Privacy

Amidst the sea change of AI-powered security workflows, data privacy is an utmost concern. Apiiro is committed to handling your data securely and with the highest standards. Our proprietary LLM models and native resources operate on our secure, in-house compute infrastructure, ensuring that private customer data is never sent or exposed outside the cluster and region where it is stored. Additionally, we implement strict measures to sanitize and anonymize all data, ensuring that your sensitive information remains protected throughout the entire process.

Importantly, Risk Detection at Design Phase is both opt-in and fully configurable, allowing you to decide whether to participate and select which data to include in the process.

The Bottom Line

By shifting security considerations to the earliest stages of software development, Risk Detection at Design Phase ensures that potential risks are identified and addressed before any code is written. Identify risks across custom-defined categories, and provide tailored, case specific remediation guidance to AppSec experts without the need for extensive manual review. This groundbreaking new tool enables AppSec teams to enact meaningful risk prioritization, remediation, and prevention before developers spend a minute on their next ticket.

---

For media inquiries and more information see our press release.