In the realm of software supply chain security, the focus has shifted from mere vulnerability detection to proactive vulnerability fixes with the introduction of new AI agents by multiple vendors. These AI agents, autonomous software entities powered by large language models, are capable of acting on natural language prompts or event triggers within software development environments.
As the use of AI assistants and agents like GitHub Copilot becomes more prevalent in enterprise software development pipelines, experts warn of the potential security risks posed by the sheer volume of AI-generated code. Melinda Marks, an analyst at Enterprise Strategy Group, emphasized the importance of supporting developers using AI while also leveraging AI to assist security teams in addressing potential vulnerabilities.
One company making significant strides in this space is Endor Labs, which initially focused on detecting and remediating open source software vulnerabilities. CEO and co-founder Varun Badhwar highlighted the increasing significance of AI-generated code in enterprise software and the potential vulnerabilities associated with it. Endor Labs is set to release AI agents trained to perform code reviews, aiming to identify architectural flaws that could be exploited by attackers and prioritize recommended fixes.
Customers of Endor Labs have expressed optimism about the potential of the new AI agents to accelerate security processes and improve collaboration between security and development teams. Aman Sirohi, senior vice president of platform infrastructure and chief security officer at People.ai, praised the AI Security Code Review feature for its ability to explain vulnerabilities in plain English, enabling better communication between security and development professionals.
Another player in the software supply chain security market, Lineaje, recently unveiled AI agents designed to detect and fix security risks in source code and containers. The company’s focus on automating tasks such as code comparison and compatibility analysis aims to streamline security processes for developers. However, trust in AI remains a concern for some enterprises, as highlighted by analyst Melinda Marks.
Cycode, another vendor in the AppSec platform space, introduced runtime memory protection for CI/CD pipelines through its Cimon project. The company’s AI teammates, including agents for change impact analysis and exploitability detection, aim to enhance risk management in software development environments. The convergence of software supply chain security and application security posture management is noted by experts as a significant trend in the industry.
Despite the potential benefits of AI agents in enhancing security operations, organizations must exercise caution in how these agents access their environments. Analyst Katie Norton emphasized the importance of implementing technologies like runtime attestation and policy enforcement engines to govern and secure AI agents effectively. Endor Labs and Lineaje have implemented role-based access controls to govern their AI agents, while the security measures of Cycode’s agents remain under scrutiny.
Looking ahead, stakeholders in the software supply chain security space are advocating for a comprehensive security framework for managing AI agents and ensuring secure access to systems. The evolution of software supply chain security and its integration with broader AppSec practices reflect the increasing complexity and importance of securing enterprise software development pipelines in the age of AI technology.