Prioritizing Security in Software: Leveraging AI for Everyday Protection

The process of DevSecOps has already been active in software shops for many years. It is designed to facilitate more collaborative and intelligent workflows. As a result, there is growing interest in adding AI or machine learning capabilities to DevSecOps workflows, as shown in a recent SANS Institute survey involving 363 IT executives and managers. The survey finds that there has been a 16% increase in the use of AI or data science to enhance DevSecOps through investigation and experimentation over the past year, rising from 33% in 2022 to 49% in 2023.

While interest in applying AI to the software development lifecycle is on the rise, there is also skepticism about fully incorporating AI into workflows. Approximately 30% of respondents reported not using AI or data science capabilities at all, reflecting concerns surrounding data privacy and intellectual property ownership. DevSecOps aims to integrate security throughout all phases of the software development lifecycle. A well-functioning DevSecOps effort delivers reduced time to fix security issues, less burdensome security processes, and increased ownership of application security.

There is also an increase in pilot projects integrating security operations into AI, machine learning ops, and data science operations, indicating that organizations are performing threat modeling and risk assessments prior to incorporating AI capabilities into products. However, many organizations feel an urgent need for more qualified DevSecOps personnel, with 38% reporting skills gaps in this area.

The report emphasizes the importance of sparking more interest in the field of DevSecOps to cope with the scarcity of talent amid competitive pressures. Platform engineering, intended to streamline the flow of software from idea to implementation, is also gaining ground, with 27% of respondents fully or partially adopting it. A well-implemented software engineering platform, designed in close collaboration with security stakeholders, could likely meet an organization’s application security orchestration and correlation objectives.