AI for application security: Balancing automation with human oversight

In this Help Net Security interview, Kyle Wickert, Worldwide Strategic Architect at AlgoSec, discusses the role of AI in application security, exploring how it’s transforming threat detection and response.

Wickert talks about integrating security testing throughout the development lifecycle, the organizational challenges of fostering a security-first mindset, and the strategies needed to balance regulatory compliance with security measures.

AI, often seen as a threat, is also a powerful tool for defense. How is AI currently being harnessed in application security, and what are its potential capabilities and limitations?

When you look at the reality of AI as we know it, fighting AI with AI will be challenging. AI is transforming application security by enhancing the ability to detect and respond to threats in real time. What was once a manual detection process is now automated, saving countless hours.

To truly harness the most benefit from AI in application security, security professionals should adopt an application-centric approach that automates change management processes, identifies security risks, and ensures compliance. AI-driven analytics can assess the impact of changes on network security policies and predict potential vulnerabilities via open attack vectors while factoring other key variables.

However, AI’s limitations in application security stem from the need for high-quality data to train AI models and the significant possibility of false positives at scale. The best way to combat this is to balance AI with human oversight to manage security risks effectively.

Comprehensive security testing is critical but often neglected. What are the most effective security testing strategies, and how can organizations ensure that security testing is integrated into the development lifecycle?

Security testing should be integrated throughout Application Delivery Pipelines, from design to deployment. Techniques such as automated vulnerability scanning, penetration testing, continuous monitoring, and many others are essential. By embedding compliance and risk assessment tasks into underlying change management processes, IT professionals can ensure that security testing is at the core of everything they do.

Incorporating these strategies at the application component level ensures alignment with business needs to effectively prioritize results, identify attacks, and mitigate risks before they impact the network and infrastructure. Additionally, automating security testing within CI/CD pipelines ensures that security remains a priority at every stage of development, while not being a burden.

Beyond technical challenges, what cultural or organizational challenges do companies face when prioritizing application security, and how can they foster a security-first mindset among their teams?

One of the biggest challenges in prioritizing application security is overcoming the perception that security slows down delivering and enhancing applications. That misconception continues to haunt IT professionals year over year and it becomes more inaccurate as technology progresses.

To build a security-first mindset, organizations must embed security best practices into their culture and workflows. If new IT professionals coming into an organization are taught that security-first isn’t a buzzword, but instead the way the organization operates, it becomes company culture.

Making security an integral part of the application delivery pipelines ensures that security policies and processes align with business goals. Education and communication are key—security teams must work closely with developers to ensure that security requirements are understood and valued. Leadership also plays a critical role in setting the tone for a security-first culture and driving organizational change to processes in addition to the technology.

Security has to be a priority for everyone in the organization, but a company’s IT department must be the stewards of the security-first mindset.

With the growing number of regulations and compliance requirements around data protection and privacy, organizations are under increasing pressure to comply with these mandates while maintaining application security. How can they effectively manage this balancing act?

Managing compliance while maintaining robust application security requires a strategic approach that starts with alignment about regulatory requirements. Security teams need to maintain their education on regulations because they can and will continue to change as threats change. Automating the enforcement of security policies that meet compliance standards simplifies this balancing act.

Continuous monitoring and auditing ensure that changes to applications and network configurations do not violate compliance mandates. It also ensures that should you need to prove your compliance, you have the reporting in place to meet those needs. By integrating compliance checks into the change management process, organizations can avoid costly compliance breaches while maintaining the agility needed for application security.

What emerging trends in application security should professionals be aware of over the next few years?

Over the next few years, I expect an increased adoption of AI and machine learning. I think there will be a shift in using these technologies for more advanced security protocols like threat detection and response. I also expect more stringent regulatory requirements around data protection. And with that, I think IT professionals will be looking to aspects like a zero-trust architecture to help balance these requirements with limited staff.

I also see a trend of adoption of an application-centric approach. As companies increasingly look to the hybrid cloud model to meet complex network infrastructures, they’re going to need to embrace application connectivity through easy workflow. This will be key to automating security processes in hybrid environments, to organizations and effectively prioritize their efforts at scale.

Additionally, the rise of DevSecOps will push for security to be integrated earlier in the development lifecycle, and tools that ensure consistent application of security will be critical as applications evolve.