Two hacks over the last 12 months in South Africa – at the Companies and Intellectual Property Commission of South Africa (CIPC) and a famous retailer – illustrate yet again how urgent is the need for a multi-layered approach to security, including robust application security, says Sagaran Naidoo, Sales Director at CASA.
“Given the proliferation of apps in today’s business world – it’s no mistake we now talk about the application economy – it’s become imperative that software is designed from the ground up with security in mind,” says Naidoo. “This requires a massive mindset change for developers because they are typically focused on speed. They live under constant pressure from the business to get new applications ready for use. This in turn means that issues with the software are often undetected early on and require manual fixes late in the development life cycle – a very time-consuming and expensive process that can introduce new issues.
“Many of the issues simply don’t get fixed, creating a ‘security debt’ that makes the application more vulnerable to hackers.”
Globally, Statista figures indicate the app economy grew by a compound annual rate of 37%, from US$1.3 trillion in 2016 to US$6.3 trillion in 2021, while South Africa’s app economy grew by 10% in the 2020-22 period, with more growth to come.
The conclusion is clear, Naidoo argues: software must be created with security in mind from the get-go given this inevitable growth and the proliferation of cyber attacks.
“The big change is that we have to move from finding the issues to fixing them rapidly – developers simply don’t have the time to fix bugs manually given their tight deadlines,” Naidoo says. “Another big factor is that advances in software development, including DevOps, automation and the use of AI itself in coding are making the process faster, but often more insecure.”
The security debt trap
Veracode’s State of Software Report 2023 shows 56% of Java applications have flat or rising security debt, underlining the need to identify and fix flaws at scale.
As this security debt accumulates, the risks that come with using vulnerable applications increases. It is worth repeating that the later in the development cycle a bug is identified, the more expensive it is to fix. Fixing is seen as a distraction by developers, who are more focused on creating software that delivers great user experiences and thus drives the bottom line.
In short, says Naidoo, finding bugs rapidly has to become paired with the ability to fix them as quickly. Veracode has seen this need and has augmented its leadership in finding coding flaws with the ability to fix them rapidly.
“Veracode Fix uses AI to generate a list of suggested fixes, which a developer can review and then choose the best one – the chosen fix is then implemented automatically without the need to write code manually,” he says. “This is a great example of how AI can be used to complement the abilities of humans, to make them more effective, not to replace them.”
Responsible AI
An important differentiator for Veracode Fix is that it uses responsible AI to deliver its benefits, again showing a unique understanding of how humans and algorithms can work effectively together.
One important element is that Veracode Fix is trained on a proprietary and highly curated dataset of reference patches. As numerous examples have shown, using open datasets leads to inaccurate or even ridiculous results. For example, made-up facts generated by ChatGPT and preposterous images created by Google Gemini have received saturation media coverage over past months.
In addition to using a curated, reliable dataset, Veracode Fix’s training is supervised by human security experts, ensuring optimal results.
“There’s no AI black box here,” comments Naidoo.
Veracode Fix’s adherence to responsible AI best practice means that customer data is encrypted in transit and at rest and is not used or retained for training purposes.
“Veracode Fix represents a paradigm shift that integrates find and fix into a single process that optimises the use of overstretched developers and bakes security into the application, without sacrificing the speed today’s business environment demands. It works with both custom and third-party code, so the organisation’s security debt is constantly being reduced. This is the future of application security,” concludes Naidoo.
For more information, read Veracode Fix and the future of intelligent software security.
Veracode is a sponsor of the annual ITWeb Security Summit 2024 to be held at Sandton Convention Centre in Sandton, Johannesburg from 4 to 5 June 2024. Visit and register.
Share