CIO Bulletin

Qwiet AI – The AI powered appsec platform helping developers to find and fix high-priority vulnerabilities

It seems like every day we hear about another company or government falling victim to a cyberattack. It stands to reason since the bad actors only need to be right once where cybersecurity teams need to be right all the time. Imagine if you were able to stop an attack before it could take place or better yet predict vulnerability based on what’s going on in your environment before it’s discovered. Qwiet AI is one such company which is on a mission is to help you find and eradicate security defects in software code before they are deployed into your production environment and do so with speed and accuracy unrivaled in the space. At Qwiet AI it enables you to prevent the unpreventable by addressing and fixing unknown unknowns.

AI/ML Platform appsec platform: Finding and fixing vulnerabilities before they are deployed

When looking at in-house or custom third-party libraries, manual inspection by security analysts is necessary to find the true vulnerabilities without creating false positives or false negatives. The Qwiet AI engine within the preZero platform scans those previously unknown libraries and compares them against open source and previously analyzed libraries to find new vulnerabilities almost instantly. This allows Qwiet AI to do more than find zero day vulnerabilities, but to also find previously unknown (or unreleased) vulnerabilities.

Of course with any AI, a guiding hand is needed to provide highly accurate results. When Qwiet AI finds previously unknown vulnerabilities, the results are double-checked by their security research team before being flagged as actual vulnerabilities.Validated results are then included in the scan results, but are also used to further train the AI, allowing for increasingly accurate scan results in the future. Qwiet detects and prioritizes the vulnerabilities that pose the greatest risk of compromise by attackers, so that you can focus on the high priority fixes.

The ultimate goal of the preZero platform is to use a combination of known vulnerabilities, heuristic detections, and guided AI to quickly provide accurate results. This allows their customers to fix reachable and attackable vulnerabilities without wasting developer time hunting down false positives or upgrades that could be done at a later date. Focusing on these high priority vulnerabilities, Qwiet customers fix 70% of new vulnerabilities in 14 days or less.

People and teams only have so much bandwidth to offer and a lack of bandwidth across the software development life cycle can lead to unsecure code. Qwiet’s AI works alongside your developers and their security researchers as a force multiplier to spot the most critical vulnerabilities for them. AI is a core component of the Qwiet preZero Platform. Trained on both open-source and proprietary libraries, Qwiet’s AI technology can uncover high-risk vulnerabilities quickly and accurately. The result—a noise-free list that prioritizes the riskiest of code, which allows your team to focus on the high-priority fixes.

Code Property Graph

The Code Property Graph (CPG) breaks down code into its fundamental components, identifying functional elements and data flow paths into a single property graph. This allows preZero a holistic view of code being scanned, looking at not just the elements of the application, but also analyzing how data is flowing and how libraries interact with each other. This provides a much more accurate method for detecting security issues quickly and with dramatically lower false positives.

By applying AI and ML to the CPG, preZero becomes even more powerful and effective at finding zero-day and pre-zero-day vulnerabilities in code. Previously undiscovered vulnerabilities, which could take days and potentially weeks of analysis by security analysts and/or code scientists to discover, can be uncovered in a matter of seconds through the application of AI and ML analysis of an application’s CPG. Once results are analyzed by preZero and verified by Qwiet’s data science team, they are then fed back into the ML models, to produce even quicker discovery on the next scan, allowing the power and efficacy of the AI to continue to grow.

Where do the vulnerabilities lie? And what other elements of the app are affected? The Code Property Graph (CPG) shows you by mapping the data flows throughout your entire application and calls out what’s subject to attack.

Across user inputs, log files, databases, custom code, open-source libraries, SDKs, APIs, and microservices, the graph detects dependencies and identifies control flows, and the data lifecycle–all queryable. The CPG is a breakthrough innovation in static code analysis that allows the preZero platform to quickly analyze code and pinpoint the attackable vulnerabilities, enabling organizations to prioritize the fixes that will have the biggest impact to the security of your application. Utilizing the speed and efficiency of the CPG, Qwiet customers performed, on average over a year, one scan of their entire source code a day for a 1 minute 30 seconds per scan.

Stuart McClure | Chief Executive Officer

Stuart has over 30 years of experience in all aspects of cybersecurity including engineering, product development, marketing, sales, customer success, and executive leadership including Global CTO for McAfee/Intel, starting Cylance and Foundstone as Founder/CEO/President/CTO and birthing the cybersecurity practices for both Kaiser Permanente and Ernst & Young. Stuart is the founding author of the #1 cyber security hacking book, Hacking Exposed, which empowers defenders to understand the hacker tools, techniques, and procedures to prevent cyber-attacks. Stuart earned his B.A. in Psychology and Philosophy with an emphasis in Computer Science from CU Boulder.