Apiiro introduced Risk Detection at Design Phase, a new,
AI-driven capability that automatically analyzes feature requests to identify
risks and proactively initiate security reviews or threat models at the
earliest stage of the application development lifecycle. With this new,
first-of-its-kind capability, application security (AppSec) practitioners can
now scale their secure software development lifecycle (SSDLC) processes by
mitigating security and compliance risks before a single line of code is
written.
Security products on the market today detect risks only
after the development process has begun. This results in wasted time for
developers due to manual risk assessment questionnaires, which impact release
velocity and business value. With the detection of risks at the design phase,
Apiiro customers can proactively address security, data privacy,
infrastructure, compliance, and other risks at the onset of development, saving
significant time and costs while minimizing rework and accelerating secure software
delivery.
Apiiro's detection of risky feature requests is built on
cutting-edge AI technology, including Apiiro's native private LLM. This model,
not accessible by ChatGPT or any other public LLM services, ensures customer
privacy and compliance by automatically analyzing feature requests and
proactively identifying potential risks associated with:
- Architecture design and
security controls: requests for changes in
APIs, network, databases, web servers, web clients, logging, serialization
and other component configurations, architecture designs, and deployment
of new or changed components.
- Sensitive data handling:
storing
and/or processing sensitive information like PII, PHI payment data fields
as part of the application data flow, changing encryption mechanisms, data
migrations, writing sensitive data to logs, and using sensitive data as an
API return type.
- User permissions and
access management: user authentication and
authorization, login or registration processes, and changing user
permissions.
- Generative AI technology: adding or changing
generative AI tools, frameworks, technologies, and the data that is
exposed to them.
- Third-party
integrations, and open source dependencies: changing or adding open
source dependencies and integrations with third-party services.
For each risky feature request, enriched by the code
architecture generated by its Deep Code Analysis (DCA) technology, Apiiro's
native private LLM model automatically generates contextual questions for a
security review and produces threat stories using the STRIDE model. This
automation eliminates the need for manual security processes, accelerating
development velocity and deployment of secure code to the cloud, ultimately
driving business growth. In addition, Apiiro enhances design risk context by automatically
mapping to specific code commits, repositories, and pull requests, providing
deeper insight into how potential risks may manifest in the actual codebase.
"Detecting potential risk at the design phase gives us
the opportunity to remediate risks before they exist, and in the most efficient
way for our developers. However, it's challenging to do this at scale and to
ensure full coverage of features our development team are building. Apiiro's
design phase risk detection engine is a unique capability in the ASPM space. It
allows us to modernize our approach to Secure-by-Design, scale and strengthen
our security engagement, and provide some automation to our threat modeling and
security requirements processes." -Head of Security Engineering at
Fortune 100 retail company
"Amidst the ever-changing complexity of modern software
development processes and application architectures, Apiiro is committed to
delivering complete risk-based visibility and protection from design to
runtime," said Moti Gindi, chief product officer at Apiiro. "Building secure
software starts with secure design, and the new AI-Driven Risk Detection at
Design Phase from Apiiro takes the ‘shift left' approach a step further,
addressing risks even before a single line of code is written. This first-of-its-kind
functionality leverages the power of AI to ensure customers have the context
required to facilitate efficient security reviews and evolve from a
reactive to a proactive approach to application security."