Our vision on security tooling
Replace or complement each other?
In our vision tools and humans should augment each other. Not try to replace each other. In computer science structured but complex tasks are where computers really shine, while humans often are good with creativity and the unstructured. We strive to interleave humans and machines in a symbiotic relationship. Because then we think we can create a whole which is greater than the sum of the parts.
Where are the tools for security experts?
We see a lot of security tools out there (SAST, DAST) that definitely add value, but all of those tools are built for software developers. So security experts have to use tools that are designed for people that do not know about security (since most software developers do not).
Human expertise is still needed and scarce
Another downside for security professionals when using current security tooling is that they need to check all the false positives of those tools. And they need to redo part of the work to find the vulnerabilities that those fully automated tools didn't find. Because those fully automated tools just find the easy vulnerabilities, and only human experts will find the critical ones. And yes, also ChatGPT doesn't find the critical vulnerabilities.
The following beliefs convince us that we need dedicated security tooling:
Code is (will become) the single source of truth. This includes infrastructure, configuration, documentation and even hardware via HDL (Hardware Description Language).
More and more software will be written which implies there will be more and more code to secure.
Software is iterated on quickly and this will never slow down again.
There will be more focus and budget to make sure software is more secure.
Performing only black box analyses of software will become prohibitively expensive, so this needs to be sped up.
Human labor is too expensive or simply not available.
Full automated security tooling will not be smart enough to find (enough) vulnerabilities to protect against criminal hackers.
Currently there is no standardization on how to perform software security evaluations.
Security evaluations are a two step process:
Obtaining deep understanding of the software.
Using this deep understanding, reason about all ways the software could (be made to) misbehave.
We need to ensure each part of the puzzle is secure, but there is no efficient tooling yet to ensure that. Therefore we believe we need tools dedicated for software security experts.