Qwiet AI elevates & expands preZero platform developer functions

Code is noisy. Not usually, because software code in and of itself is a calmly constructed and carefully engineered entity that exists inside our applications and data services to drive the features and functions that we all rely upon every day.

But the process of software code vulnerability scanning and remediation can be a noisy affair, beset with a cacophony of ‘noise’ in the form of alerts and triggers designed to help software developers eradicate exploitable elements of an enterprise’s total IT stack.

There has to be a quieter way, surely?

Previously known as ShiftLeft and now (in 2023) renamed as Qwiet AI in reference and deference to the company’s mission to reduce developer’s vulnerability management noise, Qwiet AI CEO Stuart McClure and team are upbeat about the applicability of their firm’s technology.

“It’s all about the mission to reduce the noise associated with vulnerability remediation for developers and their operations counterparts,” explained McClure. “Our platform scans all of an application’s code base and lets engineers know what’s of concern, what’s vulnerable, what’s reachable and exploitable and what isn’t. If your safe door is unlocked but that safe is located inside Fort Know, then you’re not likely to get robbed. We want developers to focus on what is real and most impactful to the business.”

New productivity features 

The Qwiet AI platform itself logically falls into the application security space (often simply referred to as AppSec and often referenced in relation to DevSecOps practices) and it provides AI-powered detection of vulnerabilities in code. The company this year introduced a series of new enhancements intended to enable software developers the means to stay in a highly productive ‘flow’ state.  In keeping with the spirit of continuous innovation, the company has focused on adding those capabilities that will keep developers focused on producing code while reducing time wasted on chasing false positives and low-priority issues.

“We are myopically focused on ensuring our preZero platform delivers on our promise to keep the developer community engaged in the creation of new products and features,” said Stuart McClure, CEO of Qwiet AI. “There are so many legacy AppSec code scanners out there [McClure also points to some ‘new legacy’ recent entrants to the market which he claims are already out of date] that don’t incorporate intelligent design in their platform to detect false positives. As a former coder myself, our new capabilities are key proof points that validate our ability to reduce the noise inherent in the AppSec space.”

Core functionality scope

In terms of platform breadth, Qwiet AI offers the following core functions:

  • Static code analysis
  • Open source code analysis
  • Software Bill Of Materails (SBOM) analysis
  • Secrets analysis – to scan passwords, API keys etc.
  • License compliance analysis
  • Container analysis – an expanded feature in 2024 

In addition, Qwiet AI works at any level i.e. it is described by McClure as code (language) agnostic, platform (Windows, Linux etc.) agnostic, cloud hyperscaler agnostic and Continuous Integration (CI) environment agnostic.

With a purpose-built AI engine, Quiet AI PreZero is capable of finding both zero-day and pre-zero-day vulnerabilities, as well as Software Application Security Testing (SAST), Software Composition Analysis (SCA), container scanning and secrets detection. All of this is possible with a single scan.

How it works 

PreZero’s AI/ML engine enables SAST scans to compare against open source and previously analysed libraries to find new libraries. What is said to be particularly of note about the engine is that the team at Qwiet AI has trained it on over six years of data. 

“This ensures PreZero provides a ‘fulsome dataset’ of real-world analysis and can be constantly improved as we discover new vulnerabilities and solutions. Additionally, Qwiet AI’s security research team verifies the results against any false positives before flagging actual vulnerabilities, ensuring that developers stay focused on what matters most, writing code and bringing solutions to market,” noted the company, in a technical statement.

All this information is available through Qwiet AI’s Blacklight, a security threat feed that provides an in-depth overview of the application scanning process. With Blacklight, developers have a direct line of sight into the vulnerabilities impacting their applications and prioritize the appropriate fixes. Specifically, Blacklight flags related exploits, threat actors, ransomware and botnets commonly leveraged by bad actors across multiple markets.

New improvements

PreZero is constantly being improved upon. Recently, Qwiet AI announced several new and enhanced capabilities including a new User Interface / User eXperience (UI/UX) layer. Qwiet AI chief information security officer (CISO) Chris Hatter has described the UI/UX developments as an effort to bring the platform to developers and cybersecurity teams in a way that ‘serves both personas’ in real terms.

“We want the [perhaps previously non-business-focused] cyber team to take a new approach through their use of Qwiet AI and be able to grasp the macro-organisational implications and commercial risks that stem from vulnerability management and remediation – and we want them to be able to do that on a business unit by business unit basis so that they understand more about company structure and wellbeing,” said Hatter, speaking to press and analysts during the recent AWS re:Invent conference in Las Vegas. 

Hatter explained the process that has happened here and said that the team has refactored the Qwiet AI dashboard to highlight the most pressing jobs that need to be carried out by each developer or cyber persona. “In a world where developers want to move fast, but the cyber team always want to re-risk, bringing these two elements together represents a much-needed point of fusion,” he said. 

The company’s Qwiet Button is something of a star feature. It activates several key filters including vulnerability criticality, reachability and exploitability to display those vulnerabilities that are most urgent and in need of remediation allowing developers to focus on what matters most. 

SBOM Export 

Qwiet AI: The shape of silence.

A new SBOM export function enables users to export findings following the White House Cybersecurity Directive of 2021 [details on European and rest of the world equivalents will follow) intended to help reduce security issues around the software supply chain. There is also new language support, which includes support for Kotlin Backend (mobile Kotlin is already supported) and PHP both at the request of customers.   

Additionally, Common Weakness Enumeration (CWE) top 25 reporting is found here to add the CWE top 25 most dangerous software weaknesses as another way to quickly focus on the high-risk vulnerabilities found in customer code. The CWE Top 25 is the work of the US Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE.

Code property graph (CPG)

The company’s platform and core technology proposition is founded on a code property graph (CPG), a software analysis approach designed to offer unparalleled visibility into scanning code. This method approaches code and software analysis to deliver what is said to be a more comprehensive data flow analysis with critical context that captures syntactic structure, control flow and data dependencies in the form of the property graph itself.

“The code property graph is a unique way to get the full picture of a piece of software and be able to show the context of an application in its totality,” clarified Qwiet AI’s Hatter. “Legacy [code vulnerability] tools aren’t capable of seeing that file A talks to file B (and so on) to determine where bonds are and where weaknesses may emanate out to. Qwiet AI’s preZero platform highlights which vulnerabilities are actively being exploited so that developers can focus on what matters most as their first action. These tasks are then integrated directly into the software engineering team’s workflow (in tools such as Jira) so that vulnerability remediation happens at the right time and in the right place.”

The team at Qwiet AI are not timid i.e. they claim that the software security business would ‘go out of business overnight’ if everyone used tools like preZero. With some more established software teams perhaps not ready to refactor and re-engineer in the face of vulnerabilities, some will no doubt remain deafened by the raucous discord that these risk factors inevitably always create.