Latest news with #AppSec
Techday NZ
13-06-2025
- Business
- Techday NZ
Azul boosts Java security with improved runtime vulnerability detection
Azul has introduced enhanced vulnerability detection capabilities to its Intelligence Cloud that aim to reduce false positives and improve the accuracy of identifying Java application security risks. The company's updated solution, called Azul Vulnerability Detection, now uses class-level production runtime data to detect known vulnerabilities within Java applications. This approach contrasts with conventional application security (AppSec) and application performance monitoring (APM) tools, which often flag vulnerabilities based on component file names or software bill of materials (SBOM) data. Such traditional practices can generate a large volume of false positives, which the company asserts unnecessarily divert DevOps teams' time and effort. Based on findings from the Azul 2025 State of Java Survey & Report, a significant proportion of organisations are affected by this problem, with 33% indicating that more than half of their DevOps teams' time is spent addressing false positives related to Java Common Vulnerabilities and Exposures (CVEs) alerts. The broad-brush flagging approach, which does not distinguish between components actually used in production and those simply present, can result in alerts for unused or non-critical vulnerabilities. Azul's approach leverages data from Java application production environments to establish whether vulnerable classes in a component are executed, rather than simply existing as part of a packaged file. The company claims this refinement enables the solution to eliminate up to 99% of false positives, translating to a potential 100 to 1,000 times reduction compared to earlier detection methods. The technical approach The solution operates by applying a curated knowledge base that maps CVEs to individual Java classes used at runtime. By examining actual code paths executed in live environments, the system can determine whether a flagged vulnerability is relevant and warrants example cited is CVE-2024-1597, which affects specific versions of the PostgreSQL Java Database Connectivity (JDBC) driver. This high-severity vulnerability, which scores 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), can only be exploited when the driver is used in a particular non-default configuration. Conventional tools issue alerts if the driver is present in the application package, regardless of how it is used, contributing to unnecessary remediation efforts. Azul's detection mechanism discerns whether any of the 11 susceptible classes out of 470 in the component are used, thereby reducing irrelevant alerts. Key benefits According to Azul, the Intelliigence Cloud's Vulnerability Detection capability provides several benefits to enterprises managing extensive Java estates. These include continuous, real-time detection of vulnerabilities in production environments, which helps teams rapidly triage and prioritise critical issues in high-stakes scenarios like the Log4j vulnerability event. The platform retains both real-time and historical data on component and code use, using AI methods to focus forensic investigations on vulnerabilities actively exploited prior to their discovery. Azul's vulnerability team updates the system's knowledge base with newly identified CVEs, using AI to monitor sources such as the National Vulnerabilities Database (NVD) and other repositories. The runtime data collection works across Oracle JDK as well as any OpenJDK-based Java Virtual Machine (JVM), providing flexibility for organisations using a range of Java distributions, including those from Amazon, Temurin, Microsoft, and Red Hat. Azul states that this data-gathering incurs no impact on production system performance, as it leverages information already generated by the JVM during application execution. "The improved Vulnerability Detection features strengthen the proposition of Azul's Intelligence Cloud analytics SaaS offering as a way to increase DevOps productivity and recover developer capacity by reducing the need for full-time employee time spent wasted on security false positives and inefficient triage," said William Fellows, research director at 451 Research, part of S&P Global Market Intelligence. Company statement "Our mission is to help enterprises focus their security efforts on what matters - real risk, not noise," said Scott Sellers, co-founder and CEO of Azul. "By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100x – 1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritise real risk and accelerate remediation - all with zero impact to performance and without slowing innovation." Azul's enhancements to its Intelligence Cloud are positioned to address long-standing productivity challenges faced by DevOps teams handling Java application security, particularly the time lost to managing irrelevant or inaccurate alerts.
Techday NZ
12-06-2025
- Business
- Techday NZ
Contrast Northstar brings real-time AI to application security
Contrast Security has announced the general availability of its new platform, Northstar, aimed at providing a unified application security experience for development, AppSec, and security operations teams. The Northstar release introduces features which allow teams to monitor application-layer attacks in real time, mitigate breaches, and remediate vulnerabilities using artificial intelligence within minutes, according to the company. The Contrast Graph Central to the platform is the Contrast Graph, which creates a digital twin of an organisation's application and API environment. The Graph maps live attack paths, monitors runtime behaviour, and visualises the connection between vulnerabilities, threats, and system assets to facilitate prioritisation and remediation. The company states that this live, dynamic context is intended to "eliminate the guesswork that plagues traditional tools" by focusing efforts on actual risk and allowing targeted, automated responses. Contrast's approach combines runtime data, contextual analysis, and AI-enabled auto-remediation in an effort to reduce noise and enable precise responses. Tyler Shields, Principal Analyst at Enterprise Strategy Group, said: "Connecting security operations processes with application security incident and vulnerability detection capabilities is a significant step towards breaking down the silos that exist between developers, application security, and security operations teams. This broad contextual analysis offering lends itself well to advanced AI-based prioritisation and automated remediation, which are the key security outcomes required by security organisations today." Runtime intelligence The Northstar release is designed to give Security Operations and AppSec teams a real-time understanding of application-layer threats as they occur. Active vulnerabilities can be auto-remediated with the new Contrast AI functionality, using live context and dynamic risk scoring to support decision making. The unified platform offers different views tailored to specific roles, so that developers can focus on prioritising remediation while SOC teams can identify and act on the most critical threats. Martha Gamez-Smith, Information Security Officer at Texas Computer Cooperative | Education Service Center, Region 20, commented: "We are excited to see the new features and feel that Contrast is set apart from other competitors, beyond reach. It makes our jobs better and easier. The real data will allow our team to take action more efficiently." Contrast Northstar pairs runtime intelligence with automation, and aims to streamline how organisations defend software against evolving risks by providing a shared perspective for development, security, and operational teams. Unified user experience The new release delivers a visual experience built around the Contrast Graph, providing real-time visibility into attacks, vulnerabilities, and business risks. These views can be tailored for each team and integrated with existing developer, CNAPP, and SIEM tools. The Contrast Graph functions as a live map, helping teams to better understand the relationships between vulnerabilities, threats, and assets to enable collaborative response. Key features Northstar features dynamic risk scoring that prioritises vulnerabilities based on their context in production, including architecture, threats, and business risk. The platform unifies Application Detection and Response (ADR) with Application Security Testing (AST), providing shared context for incident and vulnerability correlation. This aims to break down silos between teams and improve the speed and accuracy of threat resolution. The Contrast AI SmartFix capability utilises Graph data to generate specific remediation plans, write code, create test scripts, and draft pull requests. The Contrast MCP Server makes runtime insights available across environments, supporting future AI-driven use cases. The Deployment Hub is designed to simplify onboarding and the roll-out of updates across complex environments, helping organisations to deploy protection faster. The Flex Agent streamlines the process of agent deployment and updates, requiring no manual configuration and lessening installation times. Northstar integrates with established security products such as Splunk, Wiz, and Sumo Logic, and the company says that additional integrations and strategic partnerships will be announced in the coming weeks. Discussing the release, Jeff Williams, OWASP Founder, and Contrast Security Founder and CTO, said, "Northstar is the culmination of everything we've learned about defending modern software. We didn't just bolt together another set of tools—we reimagined AppSec from first principles. By combining runtime observability, real-time graph context, and AI-powered automation, we built a platform that doesn't just find problems—it understands them, prioritises them, and helps teams fix them fast. This is the platform I've wanted since OWASP's earliest days—one that doesn't just generate alerts, but actually defends the software that powers our world." The Northstar release is now available to partners and enterprises looking to update their application security programmes via a unified, real-time security operations and remediation toolset. Additional partnerships and integrations are set to follow in the coming weeks.
Techday NZ
11-06-2025
- Techday NZ
Azul unveils Java tool to cut false positives by up to 99%
Azul has unveiled a new class-level Java vulnerability detection capability within its Intelligence Cloud platform intended to improve the accuracy of identifying security threats in Java applications in production environments. The latest enhancement utilises runtime data to identify only those code paths that are actually executed in production, rather than simply identifying the presence of potentially vulnerable components based on file names or software bill of materials (SBOM) information. Traditional application security (AppSec) and application performance monitoring (APM) tools often generate a significant number of false positives, as they typically flag vulnerabilities if a component is present within an application regardless of whether the vulnerable portion of code is used. According to Azul, its new approach enables organisations to focus only on executable code paths, delivering a reported 100x to 1,000x reduction in false positives compared to other tools. Reducing false positives Azul referenced data from its own "2025 State of Java Survey & Report," which found that 33% of organisations say more than half of their DevOps teams' time is spent dealing with false positives from Java-related Common Vulnerabilities and Exposures (CVEs). This, the company states, not only overwhelms teams but also makes it difficult to prioritise genuine security issues and disrupts developer productivity. Java components, such as Log4j, often comprise Java ARchive (JAR) files, each containing multiple classes. It is therefore possible for applications to include components where the vulnerable class exists but is never invoked, meaning the associated vulnerability is not an actual risk. Azul argues that prioritising detection down to the class level can help Java teams correctly identify components that need patching, thereby eliminating unnecessary remediation efforts. Class-level analysis The new Vulnerability Detection capability in Azul Intelligence Cloud reportedly maps CVEs to Java classes observed at runtime, allowing organisations to pinpoint which components are in use and which are vulnerable. By relying on production runtime data, Azul claims this feature eliminates up to 99% of false positives. A cited example involves the 'Critical' severity vulnerability CVE-2024-1597, affecting certain versions of the pgjdbc PostgreSQL Java Database Connectivity (JDBC) driver. The vulnerability, which carries a CVSS score of 9.8 out of 10, only applies in specific non-default configurations. Traditional tools tend to flag the presence of the vulnerable component regardless of usage, potentially resulting in unnecessary security work. Azul states that its platform determines at runtime if any of the 11 vulnerable classes (among a total of 470 in the component) are actually used in production, enabling more precise prioritisation for remediation. "The improved Vulnerability Detection features strengthen the proposition of Azul's Intelligence Cloud analytics SaaS offering as a way to increase DevOps productivity and recover developer capacity by reducing the need for full-time employee time spent wasted on security false positives and inefficient triage," said William Fellows, Research Director at 451 Research, part of S&P Global Market Intelligence. Additional capabilities Azul states that its Intelligence Cloud platform provides several key benefits for enterprise Java security management. These include the ability to efficiently triage new vulnerabilities in real time, enabling DevOps teams to focus on the most pressing issues during high-impact events. The platform offers both real-time and historical vulnerability analysis, with forensic capabilities to determine whether vulnerable code was executed before the associated threat was identified. The underlying knowledge base that supports Azul Vulnerability Detection is updated with newly published vulnerabilities using AI-based processes, and it operates across all OpenJDK-based Java Virtual Machines (JVMs), including those provided by vendors such as Oracle, Amazon, Microsoft, Red Hat, and others. Azul notes that its approach has no measurable impact on application performance as it leverages runtime data already generated by the JVM. Azul also highlights that the system is designed to help teams recover capacity lost to unnecessary security triage, by illuminating only those vulnerabilities present in live production environments. "Our mission is to help enterprises focus their security efforts on what matters, real risk, not noise," said Scott Sellers, Co-Founder and Chief Executive Officer of Azul. "By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100x – 1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritise real risk and accelerate remediation, all with zero impact to performance and without slowing innovation."
Forbes
30-05-2025
- Business
- Forbes
The Future Of AI Is Specialization
With 16+ years in cybersecurity, Édouard Viot, CTO of Symbiotic Security, is a hacker at heart and an innovator in AppSec, WAFs and EDR. The rapid evolution of AI has led to an important realization: the infrastructure, training costs and ongoing reinforcement learning required to maintain a generalist AI model are astronomical, impractical and unsustainable. In my opinion, the future belongs instead to hyperspecialized AI models that are tailored to excel in hyper-specific domains. Fundamentally, using a large language model (LLM) for a hyper-specialized task is like using a sledgehammer to crack a nut: it's not the most efficient tool for the job. So instead of relying on large, resource-intensive models for every task, the industry is shifting toward domain-specific AI agents. For example, AI specializing in code security would outperform a general-purpose model like ChatGPT when it comes to detecting and remediating vulnerabilities. In fact, we ran an internal study on this topic that you can find here. Agentic AI substantially increases these capabilities. Agentic AI is a solution engineered to function independently by making decisions, executing actions and adjusting dynamically to evolving conditions with minimal human oversight. Take, for example, an agent specialized not just in code security, but specific families of vulnerabilities, such as XSS, SQL injection and buffer overflow. In these cases, AI can adapt to the type of vulnerability it has detected and route the user to proper, hyper-focused resources for remediation and/or training. The agentic approach can also be used to chain AI models. Using a slightly different example, let's say the user is working with Terraform code. Within the workspace, one agentic AI can be used to remediate vulnerabilities in the code in Terraform and then route to another agent that will check the syntax to make sure that everything is correct. This will provide better results, but will also lead to increased latency. All of this raises a fundamental question: Do we really need general-purpose AI models that know everything? The answer is increasingly clear—no, we don't. What we need is AI that is exceptional at a specific task, delivering high performance with lower compute costs. The advantages extend beyond efficiency: hyperspecialized AI reduces latency, improves accuracy and even lowers environmental impact due to reduced resource consumption. Hyperspecialized models can have an outsized impact in areas that call for both accuracy and flexibility. Looking again at cybersecurity, different AI techniques can work together to make the whole process faster and more efficient. For instance, machine learning models, trained on large datasets of known threats and safe software, are great at classification. They can quickly spot anomalies, categorize vulnerabilities and reduce false alarms during automated scans. This is a huge win for security teams, who can then focus on higher-level strategy and incident response rather than sifting through endless alerts. Meanwhile, LLMs shine when it comes to code-related tasks, in that they can generate specific fixes across a range of programming languages. This means developers don't have to be experts in every single language; they can rely on an LLM to create targeted solutions that fit the situation at hand. Bringing these two approaches together—machine learning for classification and LLMs for code generation—creates an effective combination that addresses both identification and remediation of security issues. Not only does this save time and resources, but it also bolsters an organization's overall security posture by delivering quick, precise results. The productivity gains from AI-driven automation are undeniable. In software development, AI can function like an outsourced team, accelerating coding efforts and reducing development timelines. However, this speed comes with a trade-off: without proper oversight, AI-generated code can, and does, introduce security vulnerabilities, leading to increased risk. In fact, a recent Stanford study has shown, among other things, that participants "who had access to an AI assistant wrote significantly less secure code than those without access to an assistant." It also found that participants with access to an AI assistant were also more likely to believe they wrote secure code, suggesting that such tools may lead users to be overconfident about security flaws in their code. Rather than replacing developers, AI is transforming their role. Developers will shift from being pure coders to acting as AI controllers and overseers, ensuring that AI-generated output meets security and quality standards. This evolution places a greater emphasis on critical thinking and judgment, elevating the role of developers within organizations. As AI models become more widely available, the competitive edge will shift towards data quality and specialization. Large, general-purpose models require immense investment, but hyperspecialization allows smaller players to compete effectively. This disrupts the traditional AI hierarchy, potentially enabling new innovators to challenge the dominance of tech giants. AI is increasingly learning from human interactions, a concept known as reinforcement learning. Using the case of code security again, if a developer modifies AI-suggested remediation code before accepting it, the AI can learn from this adjustment and refine its future recommendations. This continuous feedback loop allows AI to evolve based on real-world usage, improving accuracy and effectiveness over time. It's important to note, however, that for an AI to be truly self-improving, the capabilities of the human interacting with it need to be taken into consideration. In fact, only with that awareness should the reinforcement learning be adjusted. If the developer modifying the suggested remediation code makes those changes without understanding the root problem, and as a result, the changes are ill-advised or wrong, learning from that interaction would be detrimental to the AI. As AI advances, hyperspecialization will become the dominant strategy for enterprises seeking cost-effective, high-performance solutions. The era of trying to build a single AI that does everything is giving way to a more practical approach: deploying multiple smaller, task-specific AIs that are more efficient, precise and ultimately more beneficial for organizations and society. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Yahoo
27-05-2025
- Business
- Yahoo
DefectDojo Introduces Industry-First Unified SOC & AppSec Platform
DefectDojo now accommodates the needs of multiple security teams with a single, unified view AUSTIN, Texas, May 27, 2025--(BUSINESS WIRE)--DefectDojo, the pioneer in scalable security, unified vulnerability management and DevSecOps, today announced the launch of their next-gen Security Operations Center (SOC) capabilities for DefectDojo Pro, which provides both SOC and AppSec professionals a unified platform for noise reduction and prioritization of SOC alerts and AppSec findings. As both SOC and AppSec teams attempt to cut through noisy data from a sprawling set of tools and sources, Dojo Pro now allows two security teams to work from the same platform in a way no other solution has offered to date. SOC teams, like their counterparts in AppSec, are facing a number of challenges that hinder their ability to effectively protect their organizations. A recent survey found that SOC teams receive approximately 500 investigation-worthy endpoint security alerts weekly, and investigating these alerts takes up to 65% of their time; in that same survey, 16% of SOC professionals said they only addressed 50-59% of their pipeline per week. In short, SOC teams do not have the time or the resources to effectively keep up with the constantly-evolving threat landscape and the deluge of associated data. Next-gen SOC builds on DefectDojo's previous efforts to simplify and streamline cybersecurity operations. SOC teams can now use Dojo Pro's machine learning algorithms to consolidate and remove duplicate findings, significantly cutting down the amount of data they must process and assess. They can also take advantage of DefectDojo's newly-released risk-based prioritization features, which more effectively assess risk by factoring in exploitability, reachability, revenue, potential compliance factors, user records and a number of other factors to help teams find their most pressing vulnerabilities and SOC alerts to respond more quickly. "DefectDojo has always prioritized meeting security teams where they are, providing them the flexible foundation to effectively manage their needs and making hypertechnical cybersecurity tools accessible. Unifying next-gen SOC and AppSec represents the culmination of all of our work to date and a major breakthrough in how different cybersecurity teams collaborate with each other," said Greg Anderson, CEO and founder of DefectDojo. "We aim to continue bringing our customers scalable solutions for today's most pressing cybersecurity issues." The next-gen SOC capabilities join a number of recently-launched features for the Dojo Pro platform, all of which are informed by direct customer feedback and use cases. These include the Rules Engine, which enables teams to customize rules to automatically manipulate, edit, enhance, add custom remediation advice, escalate, or de-escalate specific findings, all without significant human effort; the universal parser, allowing for data ingestion from any tool producing JSON or XML data; and next-generation prioritization evaluation. Built by and for cybersecurity professionals, Dojo Pro is designed to efficiently scale for the needs of organizations of any size and centralize vulnerability data into one easy-to-use platform. DefectDojo's customer base includes Fortune 10 companies, international banks, government agencies and solo consultants alike, and the open-source OWASP Edition of the platform has been downloaded over 43 million times. To learn more about DefectDojo and get started with either the OWASP Edition or Dojo Pro, contact hello@ About DefectDojo DefectDojo is the engine that drives DevSecOps, providing an open, scalable platform that connects security strategy to execution. By aggregating data from any security tool, automating manual processes, and delivering AI-powered insights, DefectDojo empowers organizations to have a unified view of security posture, automate operations to increase productivity and improve decision-making. For more information, visit or follow us on LinkedIn or GitHub. View source version on Contacts Media Contact defectdojo@ Sign in to access your portfolio
