What are the steps to determine the appropriate CAL for a component?

To determine a CAL, assess the component's risk profile based on its functionality, exposure to threats, and potential impact of a breach. Then, choose a CAL that aligns with this risk level and the manufacturer's overall cybersecurity strategy.

How often should CALs be reviewed or updated?

CALs should be reviewed regularly, especially when there are significant changes in the threat landscape, technology, or operational environment. An annual review is a common practice, but some situations may warrant more frequent assessments.

What is the risk of code generated by AI?

While AI-generated code can accelerate development, it also introduces new risks. This is because AI tools currently rely on the LLMs, which use general data and don't know the specifics of the application under test. Moreover, they are being used to produce much higher quantities of code which in turn will lead to more bugs and vulnerabilities. The reliance on AI can also lead to a reduced understanding of the codebase by human programmers and a false sense of security, as found in a study by Stanford University.

What is the issue with traditional static analysis and black-box testing?

Traditional methods of software security testing, like static analysis (SAST) and dynamic black-box testing (DAST), suffer from significant limitations. Starting with SAST, it lacks runtime context, meaning it cannot fully assess the actual behavior of the software during execution. Consequently, SAST often generates numerous false positives, leading to potential vulnerabilities being overlooked or ignored. On the other hand, DAST faces its own set of challenges. While it evaluates the external behavior of a software application, it fails to assess its internal workings, leaving potential security flaws within the code undetected. Furthermore, DAST does not achieve complete code coverage, meaning certain parts of the application might remain untested and susceptible to vulnerabilities.

What are the benefits of AI-powered white-box testing?

AI-powered white-box testing offers several advantages: It can integrate easily with existing unit tests for automated testing at each code change It leverages the internal design of the application to find hidden issues It eliminates false positives and duplicates, providing actionable results It helps assess untested parts of the system by refining test inputs based on coverage information

What is AI-Powered white-box testing?

Dynamic white-box testing with self-learning AI is a testing strategy that leverages the internal design of the software under test to generate myriads of intelligent test cases. Genetic algorithms learn from previous test data and create new test cases to dig deeper into the software under test. This approach enables dev teams to identify bugs and vulnerabilities that traditional testing methods often miss.

How does AI-powered white-box testing compare to traditional black-box testing?

AI-powered white-box testing differs from black-box testing as it can leverage the internal design of software to provide a more comprehensive testing approach. It can also allow dev teams to gather information from previous test cases and use this knowledge to generate new, more intelligent ones automatically.

How can Large Language Models (LLMs) and self-learning AI work together in software testing?

LLMs can be used to analyze code and automatically identify the potential attack surface. They can also generate the corresponding test harnesses needed for self-learning AI. Self-learning AI can then “attack” these entry points while continuously refining test cases based on coverage feedback. When combined, these two forms of AI provide a more automated and scalable testing model, enabling development teams to secure self-written code, third-party components, and AI-generated code at scale.

Code Intelligence Blog | Sergej Dechand

Sergej Dechand Dec 5, 2024 3:02:03 PM 1 min read

Jazzer: Back to Open Source!

Jazzer is open source again under Apache 2.0! ...

Start Reading

Sergej Dechand Mar 18, 2024 2:33:59 PM 4 min read

ISO/SAE 21434 compliance in 2024: what’s new and how to act

The ISO/SAE 21434 standard provides ...

Start Reading

Sergej Dechand Jan 23, 2024 3:46:11 PM 6 min read

7 Challenges of Embedded Software Security Testing in 2024

Learn about 7 challenges to look out for during ...

Start Reading

Sergej Dechand Jan 11, 2024 9:21:42 AM 4 min read

The Role of Cybersecurity Assurance Levels in ISO 21434

Explore the role of cybersecurity assurance ...

Start Reading

Sergej Dechand Aug 9, 2023 2:07:20 PM 6 min read

The Risks of AI-Generated Code

Discover the potential risks and threats posed by ...

Start Reading

Sergej Dechand Jun 1, 2022 3:03:40 PM 4 min read

Code Intelligence Raises $12M for Dev-First Security

We are happy to announce that we secured our ...

Start Reading

Sergej Dechand Dec 22, 2021 12:58:47 PM 1 min read

Bug Detectors for log4j Are Now Available in Google’s OSS-Fuzz

Java developers can now run continuous security ...

Start Reading

Sergej Dechand Feb 18, 2021 5:13:41 PM 3 min read

Use Address Sanitizers to Secure Your Software

Learn how address sanitizers can help you gain ...

Start Reading

Sergej Dechand Jan 6, 2021 4:28:30 PM 6 min read

Future of Pentesting: 5 Tips to Improve App Security

In the future, most of the enterprise pentesting ...

Start Reading

Sergej Dechand Oct 8, 2020 5:20:19 PM 3 min read

Automotive Fact Sheet - 6 Tips for ISO 21434 Compliance 2024

Comply with the new ISO Standard, i.e ISO 21434 ...

Start Reading

Sergej Dechand Sep 23, 2020 1:56:27 PM 4 min read

Secure Automotive Systems: 3 Steps to Prevent Crashes

Automotive software has to be reliable and ...

Start Reading

Sergej Dechand Jun 24, 2020 10:31:56 AM 3 min read

2 Mio € for Code Intelligence to Innovate Software Testing

Software security company from Bonn raises 2 Mio ...

Start Reading

About Sergej Dechand

Blog Post by Sergej Dechand

Jazzer: Back to Open Source!

ISO/SAE 21434 compliance in 2024: what’s new and how to act

7 Challenges of Embedded Software Security Testing in 2024

The Role of Cybersecurity Assurance Levels in ISO 21434

The Risks of AI-Generated Code

Code Intelligence Raises $12M for Dev-First Security

Bug Detectors for log4j Are Now Available in Google’s OSS-Fuzz

Use Address Sanitizers to Secure Your Software

Future of Pentesting: 5 Tips to Improve App Security

Automotive Fact Sheet - 6 Tips for ISO 21434 Compliance 2024

Secure Automotive Systems: 3 Steps to Prevent Crashes

2 Mio € for Code Intelligence to Innovate Software Testing