Guest: Sergej Dechand (LinkedIn)
Company: Code Intelligence (Twitter)
Show: Let’s Talk

While we would like to think that security is baked in from the start by developers, this is not always the case. Furthermore, security engineers and developers are not always on the same page when it comes to security testing. Code Intelligence aims to tackle this problem with CI Spark, a tool that harnesses AI to help write test code.

In this episode of TFiR: Let’s Talk, Sergej Dechand, CEO and Co-Founder of Code Intelligence, talks about the company and the problem they are trying to solve. He talks about the role of AI in security and how it is being used for fuzz testing. He talks about CI Spark and how it is analyzing code and automating fuzz tests and he takes us through some of the key trends he is seeing in the industry.

Key highlights from this video interview:

• Dechand gives us an insight into what led them to create Code Intelligence, saying the available open-source tools for scaling up security testing were problematic and that you needed domain and security knowledge for the fuzzing techniques they were using. He discusses how this led to the idea of bringing the security tools closed to the developers without a security background and how this formed the premise of Code Intelligence.
• With the shift left movement, many developers are now doing security but Dechand feels that many still prioritize shipping new features over security. He talks about how security is often an afterthought as developers get closer to a release and how this creates tension between security professionals and developers.
• Dechand shares his views on the evolution of generative AI and how AI is being used in security. He talks about static code analysis, telling us a lot of companies are already using it, and how the dynamic code analysis tools, which penetration testers are using, are not typically part of the DevOps toolchain.
• Dynamic testing involves setting up your software and attacking it while it is running. Dechand goes into detail about black box testing techniques and how people started looking at ways to automate dynamic analysis using genetic algorithms and what this involves.
• Dechand talks about how they are using LLMs like ChatGPT to scan through the source code, using generative AI to find the different unit tests. He explains how from the unit tests they can auto-configure how the dynamic analysis is then attacking the software. Dechand tells us they are working on a smaller language model for this use case.
• Code Intelligence recently announced CI Spark, which automates a large portion of the work needed for fuzz testing, saving engineers time. Dechand explains how CI Spark works to help identify the relevant interfaces and develop the tests.
• Dechand discusses the friction that can occur between security and development teams. He explains how CI Spark has lowered the resistance of the developers because security engineers are able to set up the first tests on their own by just having access to the repositories, not the code base.
• Code Intelligence is primarily focusing on enterprises and is operating globally. Dechand tells us that most of their clients are from the automotive sector since they started with C++ before adding languages like Java but the company is industry agnostic.
• Dechand takes us through some of the trends he is seeing in the industry saying he is seeing resistance in some enterprise companies against AI because of copyright issues. Nonetheless, more companies are using generative AI to produce more code. He talks about how developers’ roles may change in the future utilizing AI.
• The Cyber Resilience Act (CRA) is still a hot topic within the open-source community and Dechand shares his views on the effect he feels it will have, such as seeing a disclaimer or changes in the licensing. However, he feels that most companies cannot afford not to use open source and it is essential in being competitive.

This summary was written by Emily Nicholls.