Legit Security this week added a threat feed that DevSecOps teams can use to instantly determine if a newly discovered vulnerability impacts their software supply chain.

Built using the Legit VibeGuard tool, the threat feed added to the company’s application security posture management (ASPM) platform also enables DevSecOps teams to take advantage of “vibecoding” techniques enabled by a large language model to instantly generate a dashboard to better understand the scope of the overall threat.

Legit Security CTO Liav Caspi said the goal is to make it simpler for DevSecOps teams to understand which vulnerabilities they need to remediate first based on the actual threat they represent to a specific application environment versus working through a list of potential issues that a cybersecurity team has created using a generic severity score that has been assigned via a Common Vulnerability and Exposure (CVE) database. DevSecOps teams will instead be able to use this feed to prioritize the development, testing and deployment of patches to their applications based on the actual risk a threat represents to their application environment, he added.

In fact, correlating threats to determine which issues to address first is a major step toward auto remediation of vulnerabilities to the point where applications eventually become self-healing, said Caspi.

Having that capability will soon be essential because the number of vulnerabilities being created by artificial intelligence (AI) coding tools is going to soon become overwhelming, noted Caspi. The only way to address that issue will be to rely more on AI embedded within ASPM to enable auto remediation of vulnerabilities created by those tools, he added.

Legit Security already provides a range of AI capabilities in its platform, including surfacing suggestions for remediating issues in code and being able to identify which AI models are part of a software supply chain. It also uses AI to correlate scans and run code analysis to reduce false positives while at the same time making it simpler to discover secrets that have been inadvertently embedded in code.

The platform at its core has an AI agent that orchestrates the assignment of these and other tasks to AI agents that have been specifically trained to perform them. That approach provides DevSecOps teams with a complete view of the entire software development lifecycle, including assets, owners, security controls, vulnerabilities, and the impact they are having on developer productivity.

The level of adoption of best DevSecOps practices naturally varies widely from one organization to the next. Hopefully, the quality of the code being generated by AI coding tools will improve but in the meantime there is a clear need to use AI tools to validate the code being generated by those tools. Otherwise, AI coding tools are really only making an existing application security challenge worse than it already is.

The challenge, as always, when it comes to auto remediation will be establishing a level of trust in the output being generated and tested by an AI tool. After all, the main reason patches are not automatically applied today is that too often that update winds up breaking the application.

In the meantime, however, DevSecOps teams would also do well to remember cybercriminals are using their own AI tools to not only identify vulnerabilities in code, but also generate the code needed to exploit those vulnerabilities faster than ever. Like it or not, time is not on the side of any DevSecOps team tasked with securing applications in the age of AI.