The Future of Cybersecurity with AI-Driven Testing

Full transcript

Security issues in design, not code

So welcome back to the podcast. Today, I'm joined by Ria Rahim. Ria, welcome to the podcast. Yeah. Thanks. Thanks. Thanks for having me in your podcast as well. So what's your background, and what are you focused on right now? Sure. Yeah. I I I'm Rajar Rahim. I'm the CEO and founder of Beagle Security. My background is is in technology and then cybersecurity. I have been in the cybersecurity space around fourteen plus years as of now, and I I I have always been interested in in how security can be made more more practical for for companies and and for big enterprises. Like, most of the companies are willing modern softwares as of now. Yeah. Like, in my early career, I I spent a lot of time working closely with web application technologies, building web applications, and APIs. And and seeing a firsthand how vulnerability app vulnerable applications can become the become when when development is more faster or more more on a faster side other than the quality of the development. So Mhmm. With with that experience, I thought of building bigger security. The main idea was to help organizations to to

make this security testing continuously or or continuous vulnerable vulnerability testing or continuous VAPT for web applications and APIs. Like, mainly to identify vulnerabilities in their web applications and API without or needing large security teams or complex manual processes. We we have started in 2020. So we built a platform that automates penetration testing or security testing and make it easier for developers and security teams to detect and fix the issues before attackers find them in in their applications. So Mhmm. Currently with the advancements in the technology, like the LLM and then other edge and decay based systems, right now we are focusing mainly on pushing our boundaries to automate the web applications and API penetration test with agent decay based system, like an AI driven system with which autonomously find vulnerabilities and provide provide remediation plans for the developers as such. Uh-huh. Is there any specific problem that you're seeing over and over that most teams still underestimate in the security space? So are you asking about, like, any specific? Yes. Any specific problem that you guys often encounter when working with other companies? Mainly mainly you're asking about bigger security problem we face or our

No. The your clients. So so what your clients experience? What's kind of the main issue? Okay. You're asking about the problem. Right? Right. Okay. Yes. Okay. One of the biggest problem most of this team is is is still underestimate is how quickly the attack surface of the modern applications glow. Like, the modern attack surface is growing very fast. Also, the applications are constantly evolving with the use of edge and decay, AI systems, and LLMs. All also, most of the SaaS platforms or our enterprise products, they are deployed on a daily basis or a weekly basis. APR APIs are getting added to the system. Dependencies changes on the group, and then the infrastructure is getting updated. But most of the cases, like security testing happens only once in a year or or it's periodically. Maybe once or twice a year through a manual penetration test. So the problem is that vulnerability don't appear once a year. Right? They appear every time code changes. Or or they or that gap between the application security testing where applications are automatically tested and and then they evolve. Right? So the security testing is left behind.

Continuous security testing

It's not considered as as a continuous one. So that's where we build the platform to automate the continuous process of security testing as such. Mhmm. You mentioned agentic AI pen testing. Could you briefly explain what that actually means? Like, currently, what happens in penetration testing in a manual perspective is that, like, we hire someone who who does a attacker perspective of their web application, and do the testing in their system, and provide the report for them. So what when it's come to the like, when when we started bigger security, which is in 2020, it was AIMLR. And and at that time itself, we used a lot of AI systems to solve this and to automate the penetration testing just like a human hacker do. That's what we thought in in in the early stage of the development itself. Now, like, the technologies evolved, LLM LLM's game, and later, AI agent based AI systems evolved. So we have also updated our system in such a way that the decision making or the automated penetration tools can be integrated or our intelligence can be integrated to the system.

That's that's what we use as in the case. Like Mhmm. For selecting test cases, designing payloads, identifying false positives, and also understanding the system contextly aware penetration testing like a human hacker do. So we are trying to be a hacker which is continuously available for the for the Mhmm. Customer. Mhmm. You're also an OWASP project lead. Are there any lessons that you wish every product team had internalized earlier? Yep. Like, I've been part of for around ten years, I think. I also lead the testing k gate. Like, it is a standard use for doing testing in in in the manual perspective as well. So firstly, what what I got from OWASP is, like, security issues usually come from design decisions, not just by coding mistakes alone. So teams often think vulnerability happen because a developer work in secure code. But many issues occurs or originate earlier in in in in in how authentication or authorization or or APIs or data flows are designed. If security thinking start only during the testing, it's already too late. That's that's one thing. And secondly, like, input and boundaries matters more people more than people realize.

Like, most most major vulnerability success because application trust input that they shouldn't. Whether it's user inputs or or API data or inbox or payloads or or third party integrations. One of the core of us pleasantries is, like, is is to always validate and then control how data moves into the system and also out of the system. And finally, security has to be continuous, not a checkpoint, not a check mark act a checkbox activity as well. So many teams still treat security like a milestone or a check mark activity just to complete the compliance requirements. So but modern security or or modern software change continuously, and the OS mindset encourage building security into the development life cycle itself through automated testing, like static analysis during the development, secure coding practices, and also can continuous validation of the system. Mhmm. Going back to agentic AI pen testing, how do you sort of balance out the accuracy and coverage and also speed? Oh, okay. One of the biggest misconceptions right now is that AI will magically solve everything. Alright. So as you mentioned, like, when it's come to accuracy, coverage, and speed, in in case of penetration

Three moves to level up

testing itself. If we need to do a in-depth penetration testing, which need I mean, each which need time, actually. So if you prioritize speed, you may miss complex vulnerabilities. And if accuracy isn't good, customers lose trust in their results because of the false positives. So the key is designing a system that are intelligent about how they test. At biggest because security, what we we think of it is a layered approach. First, you when you have fast baseline test, then then we identify some in anything. We do in-depth test on that area to clear the common vulnerabilities and later go in-depth in specific area to adjust space. Also, when it's come to the coverage, we we depend on the context of a testing on on that to make sure we we address almost every part of the application. So we have to make sure the coverage and and depth, and also also the speed. But one thing in in our case is, like, as we are at continuous penetration testing, when when we start, we start with these small ones and go in-depth and chaining attacks one by one. So because most cases, we report vulnerabilities

on the go. So time won't be an issue in our case as it's a continuous one. Mhmm. It's funny that you said that everyone thinks that AI is magic and it can fix everything since I feel like almost everyone on the podcast told me that since, yeah, it's it's across all of the industries. So if there is a start up or maybe a mid market company who wants to level up in in the next sixty days, what are the free moves that you would recommend to them? Sure. Sure. Like like, you mentioned mid market companies. Like, they want to level up in the cybersecurity space, like, within within the next sixteen days. Like, they have the first move, they have to focus on integrating tools that readily available. So more currently, and already released the security module. So indicate those tools early in the development side life cycle itself. The first move to integrate security testing directly to the development pipeline. So security shouldn't happen only before only before a big release or something.

Team should start running automated security tests as part of the c a d CICD or in their code base itself during the development. Platform like like I mentioned, Andrew, because already released a SaaS SaaS that can do the code review in a secure perspective and provide suggestion to remediate those issues as well. That will reduce a lot of lots of issues. And also when it's come to the latest stages after release or in the staging or development environment, they can use automated tools like legal security so that they can identify the issues in a back box perspective as well. And also, they can use those report when it's go to the customers. Like, they can show that they are already done the security side of the sex security part of development in the development side say, space itself. Also, the second thing is to prioritize the risk instead of chasing every vulnerability. Like, most of the case, many team get overwhelmed because security tool produces a large list of issues. In short, they should focus on validated vulnerability that impact real real attack parts. So in in beagle's perspective,

what we do is, like, even for, like, leak credentials. Like, our concept is more of a collective, intelligent, connected penetration testing. So if if something leaked in the dark web or some some websites, if if we get those detail, we'll be using that in during the penetration testing to and make sure those those issues are existing not not exist or if it's a valid issue or something. So, likewise, prioritize the risk or or and fix critical issues before going to the prediction. Also, the final part is, like, giving developers clear ownership of security issues and security fixes mainly. So most cases, many tools are the many and maybe security testing happens, or our security teams identifies issues. But finally, to close the issue, some developer need to fix. So security works best when developers see it as a part of the responsibility rather than something handled by a separate team. That's been providing actionable remediation guidance and integrating finding into the tools developers already use, like issues trackers or or pull triggers. They can cause the issues early. Also, currently, everybody is using

LLM tools to generate and fix the codes as well. So maybe they can indicate it with the direct directly with the those tools so that they can get the issues fixed in the yearly sales itself. Like, the fastest way to improve AppSec is in buying more and more more and more tools. Is making security part of the culture or part of how how code get shipped. Mhmm. Well, thanks for the long advice. Hopefully, someone took notes. And I will leave a link so they can check you out, and we'll see you in the next one. Okay. Yeah. Thanks.