Checkmarx Adds Hybrid SAST Engine to Improve AppSec in AI Era

Checkmarx this week revealed it has re-engineered the core engines embedded within its static application security testing (SAST) tools for the agentic artificial intelligence (AI) era. At the core of that effort is a next-generation SAST hybrid scanning engine that combines three distinct capabilities within the Checkmarx One platform. An existing deterministic rules-based foundation is now being extended using a purpose-built large language model (LLM) and a Finding Analysis Engine (FAE) that suppresses false positives. Frank Emery, director of product management for Checkmarx, said the SAST tools embedded in the Checkmarx One platform, as a result, now combine existing deterministic results for specific programming languages with the probabilistic insight generated by large language models (LLMs) that have been shown to be effective at discovering vulnerabilities. The challenge is that LLMs tend to generate a lot of false positives, which can now be sharply reduced using the FAE, he added. The overall goal is to provide DevSecOps teams and application security professionals with the best of what traditional SAST tools and LLMs provide via a single platform that determines the degree to which a vulnerability is actually exploitable, said Emery. Historically, DevSecOps teams have relied on SAST tools that are able to surface security issues that are specific to a programming language. Armed with those insights, application development teams were able to address vulnerabilities and weaknesses in source code before it was compiled. LLMs add an ability to discover additional issues after code has been compiled no matter what programming language has been used. Those two capabilities are now being combined in a way that promises to make it simpler for DevSecOps teams to improve the quality of the code that ultimately gets deployed in a production environment. Additionally, those insights can also be shared with the dynamic application security testing (DAST) tools that Checkmarx provides to make it easier to identify the root cause of any security issue that arises after software is deployed in a production environment, noted Emery. Those capabilities, collectively, are more crucial than ever in an era where AI coding tools are generating more vulnerabilities than ever. In fact, a recent Checkmarx survey finds 70% of respondents reporting they are also now discovering more vulnerabilities, with 31% describing that increase as being significant. Mitch Ashley, vice president and practice lead for software lifecycle engineering at the Futurum Group, said layering a reasoning engine over deterministic scanning concedes that rule-based pattern-matching alone has reached its ceiling against AI-generated code. That structural shift moves the decisive layer from detection to reasoning about which findings actually warrant a developer’s attention, he added. DevSecOps teams will now judge tools based on how well they reason about exploitability and remediation at machine speed, noted Ashley. It’s not clear to what degree software engineering teams are revisiting DevSecOps workflows in the age of AI, but the one thing that is apparent is that existing processes are not up to the challenge, so it’s now more a question of how much change can be absorbed before there is a major incident that could have easily been avoided with a little additional foresight and planning.