Checkmarx has revamped its strategy for infusing artificial intelligence (AI) agents into DevSecOps workflows following its acquisition of Tromzo, a provider of an application security posture management platform (ASPM).

Earlier this year, Checkmarx committed to building three classes of AI agents within a Checkmarx Assist portfolio, starting with a Developer Assist tool that it developed. The other two Policy Assist Agent and Insight Assist Agent will now be based on AI agents developed by Tromzo to apply AI.

Ori Bendet, vice president of product management for Checkmarx, said in effect the acquisition of Tromzo accelerates the timeline the company had set for building a suite of AI agents that automate application security workflows across the entire software development lifecycle (SDLC). Checkmarx also gains a cybersecurity team that has already developed a lot of expertise when it comes to applying AI to application security, he added.

Tromzo CEO Harshil Parikh said that as a provider of an ASPM, Tromzo is already using AI to understand the unique attributes of a codebase. Whenever an issue is discovered, its AI agents will then surface code recommendations for fixing it. That approach eliminates the need for a developer to spend time researching the vulnerability and then building a patch, said Parikh.

That capability will soon be extended using data collected by the static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) tools developed by Checkmarx, noted Parikh.

The acquisition of Tromzo comes at a time when DevSecOps teams continue to struggle. A recent Checkmarx survey finds nearly all (98%) organizations have experienced a security breach attributable to vulnerable code, with 81% acknowledging their organization has shipped code with known vulnerabilities into production environments. More than a quarter of organizations (27%) experienced four or more breaches due to these vulnerabilities.

Roughly a third of respondents are resigned to additional incidents occurring in the next 18 months, with software supply chain compromise (35%) topping the list followed by a third-party vendor/partner security incident (35%), cloud infrastructure misconfiguration (34%), insider threat or privileged access misuse (33%) and application programming interface (API) security breach or business logic attack (32%).

As the pace at which applications are being developed in the age of AI continues to accelerate, many of these issues will only be further exacerbated. The only way DevSecOps teams will be able to keep pace is to rely more on AI to discover and remediate issues, many of which will be created by developers relying on AI coding tools that generate more flawed code than ever.

Hopefully, there will come a day soon when AI coding tools generate higher-quality code, but in the meantime, DevSecOps teams should prepare for the worst. Cybercriminals are now also adopting AI tools with an eye toward not only discovering more vulnerabilities but also creating the code needed to exploit them in a matter of minutes. As such, the number of zero-day vulnerabilities that DevSecOps teams will be required to remediate as quickly as possible is about to dramatically increase.