{"id":76493,"date":"2024-02-06T10:19:05","date_gmt":"2024-02-06T18:19:05","guid":{"rendered":"https:\/\/github.blog\/?p=76493"},"modified":"2025-05-19T12:46:45","modified_gmt":"2025-05-19T19:46:45","slug":"appsec-is-harder-than-you-think-heres-how-ai-can-help","status":"publish","type":"post","link":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/","title":{"rendered":"AppSec is harder than you think. Here\u2019s how AI can help."},"content":{"rendered":"<p>Find vulnerabilities earlier, ship software faster. These are the <a href=\"https:\/\/github.blog\/2020-08-13-secure-at-every-step-a-guide-to-devsecops-shifting-left-and-gitops\/\">good intentions<\/a> behind the drive to shift application security workflows from security teams to developers: a \u201cshift left\u201d move in the software development lifecycle. But does it really work?<\/p>\n<p>In practice, shifting left has been more about shifting the burden rather than the ability. Most AppSec tools, even those that claim to be \u201cdeveloper-first,\u201d require a certain degree of security expertise to deploy and use. By interrupting the coding process and taking developers out of their flow, shifting left can exacerbate the very problems it was meant to address. Here\u2019s a sobering statistic: 81% of developers admit to shipping software with vulnerabilities just to meet a deadline. When human nature and business pressures align, good intentions can hardly compete.<\/p>\n<p>\u201cMost developers are not trained security experts,\u201d says GitHub\u2019s Chief Security Officer and SVP of Engineering <a href=\"https:\/\/github.com\/mph4\">Mike Hanley<\/a>. \u201cBut with AI, we\u2019re radically transforming the traditional definition of shift left by bringing security directly to developers as they\u2019re introducing their ideas to code, fundamentally preventing vulnerabilities from ever being written.\u201d<\/p>\n<p>In this post, we\u2019ll explore the challenges in application security today and where AI can make a significant impact in keeping software secure from day one.<\/p>\n<p><strong>\ud83d\udc40 Are you a visual learner? Don\u2019t worry, we have you covered. \ud83d\udc47<\/strong><\/p>\n<div class=\"mod-vh position-relative\" style=\"height: 0; padding-bottom: calc((9 \/ 16)*100%);\">\n\t\t\t<iframe loading=\"lazy\" class=\"position-absolute top-0 left-0 width-full height-full\" src=\"https:\/\/www.youtube.com\/embed\/AF0xIgiQqmY?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" title=\"YouTube video player\" allow=\"accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen=\"\" frameborder=\"0\"><\/iframe>\n\t\t<\/div>\n<h2 id=\"shifting-the-burden-not-the-benefit\"><a class=\"heading-link\" href=\"#shifting-the-burden-not-the-benefit\">Shifting the burden, not the benefit<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>Director of Field Services for GitHub Advanced Security, <a href=\"https:\/\/github.com\/NickLiffen\">Nick Liffen<\/a>, explored this challenge with an audience of developers at GitHub Universe. First, he asked everyone in the room to stand. Then, he gave his audience a choice: stay standing if developers at their organizations loved remediating vulnerabilities, or resume their seats if they didn\u2019t. As you might expect, almost everyone sat down. Coders prefer to write code.<\/p>\n<p>While development teams sprint to ship new features that solve customer problems, open new markets, and leapfrog competitors, security teams are charged with protecting an organization\u2019s data and reputation. Go fast, but reduce risk. It\u2019s hard enough for an entire organization to do both, but is it reasonable to ask that of a development team or of a single developer?<\/p>\n<p>Let\u2019s dig a little deeper into those pain points.<\/p>\n<ul>\n<li><strong>When developers and security teams clash, everyone loses.<\/strong> The goal for most developers is to ship great products by getting code into production as fast as they can. The goal for the security team is to make sure their organization\u2019s software is as secure as possible by addressing high-severity and high-impact vulnerabilities quickly, then prioritizing other vulnerabilities as they arise. These dueling incentives often lead to friction between the two teams, as developers want to get their code out and security engineers want to ensure that code changes are fully vetted before they\u2019re shipped.<\/li>\n<li><strong>Shifting left shifts responsibility, but not expertise.<\/strong> Integrating a security tool into a developer\u2019s workflow doesn\u2019t always mean developers will use them (or even know how to use them). In fact, an abundance of false positive alerts can make it less likely that developers pay attention to potential vulnerabilities. This means missed deadlines, unfixed vulnerabilities, and a fruitless blame game that estranges developers and security teams.<\/li>\n<li><strong>Unaffordable context switching is inherent in the security process.<\/strong> Oftentimes, developers don\u2019t have the knowledge or full context to fix the vulnerabilities and bugs they\u2019re receiving. This means they have to leave their environment, go to Google, and break their flow to figure out what to do. This is <a href=\"https:\/\/github.blog\/2022-12-08-experiment-the-hidden-costs-of-waiting-on-slow-build-times\/\">the type of context-switching that creates a terrible developer experience<\/a>, which slows down overall productivity and velocity across engineering teams.<\/li>\n<\/ul>\n<figure class=\"gh-full-blockquote mx-0 pl-6 mt-6 mt-md-7 mb-7 mb-md-8\"><blockquote><p>Security at the expense of usability comes at the expense of security.<\/p><\/blockquote><figcaption class=\"text-mono color-fg-muted f5-mktg mt-3\"> - Avi Douglen \/\/ OWASP Board of Directors<\/figcaption><\/figure>\n<p>With constantly evolving threats and not enough time or documentation for training to manage them\u2014not to mention the monotony of addressing vulnerabilities, as opposed to the creativity and freedom of writing code\u2014it\u2019s no wonder so many developers sat down after Liffen\u2019s question.<\/p>\n<p>When it comes to organizations as a whole, there are two pivotal challenges. The first is that applications <a href=\"https:\/\/www.verizon.com\/business\/resources\/articles\/s\/frequently-asked-questions-on-credential-theft-prevention-and-protection\/#:~:text=The%202022%20DBIR%20found%20that,vector%20for%20credential%2Dbased%20attacks.\">are the number one attack vector<\/a> for malicious actors. The second is that <strong>security breaches are getting more and more expensive<\/strong>, growing 15% over the last three years, <a href=\"https:\/\/www.ibm.com\/reports\/data-breach\">according to a recent IBM report<\/a>. That same report says enterprises that use security AI and automation extensively can save $1.76 million when compared to organizations that don\u2019t.<\/p>\n<p>In order for your enterprise to innovate at scale and save money, developers can\u2019t be forced to choose between security and velocity. And increasingly with AI, they don\u2019t have to.<\/p>\n<h2 id=\"ai-to-the-rescue\"><a class=\"heading-link\" href=\"#ai-to-the-rescue\">AI to the rescue?<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>AI tools like GitHub Copilot already make security more developer-centric with code suggestions and context around vulnerabilities within the developer workflow. Even though this is the beginning of our journey with AI, new products, tools, and platforms are already helping developers write more secure code from the start\u2014and allow issues to be more easily addressed as they come up.<\/p>\n<p>\u201cDevelopers need the ability to proactively secure their code right where it\u2019s created\u2014instead of testing for and remediating vulnerabilities after the fact,\u201d <a href=\"https:\/\/github.blog\/2023-11-08-ai-powered-appsec\/\">says<\/a> GitHub\u2019s Director of Product Marketing, <a href=\"https:\/\/github.blog\/author\/lauraleap\/\">Laura Paine<\/a>. \u201cEmbedded security is critical to delivering secure applications.\u201d<\/p>\n<p>Let\u2019s take a look at where AI can help embed security within the developer workflow.<\/p>\n<h3 id=\"improved-detection\"><a class=\"heading-link\" href=\"#improved-detection\">Improved detection<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h3>\n<p>Because almost <a href=\"https:\/\/www.hipaajournal.com\/open-source-security-risks\/\">80% of code<\/a> in today\u2019s applications relies on open source packages, current SCA tools need to scan and understand third-party packages. When vendors don\u2019t add modeling information for your packages, developers need to manually build out the modeling information. But with a tool like <a href=\"https:\/\/codeql.github.com\/\">CodeQL<\/a> that\u2019s used in tandem with AI tools, developers can automate the threat-modeling process, saving them time and energy, and ensuring compliance with industry standards.<\/p>\n<p>When it comes to secrets, for instance, we recently integrated AI at GitHub into our secret scanning technology to help detect unstructured and human-generated secrets like passwords and credentials. Plus, if you enable <a href=\"https:\/\/docs.github.com\/code-security\/secret-scanning\/about-the-detection-of-generic-secrets-with-secret-scanning\">secret scanning&#8217;s AI-powered features<\/a>, GitHub can generate custom patterns for you\u2014and you can test these patterns before saving to make sure they work. Once secrets are detected, security managers and repository owners can view the alerts, and if they determine that the alert is legitimate, they can work with developers to resolve the issue. This will save developers time, make collaboration much more seamless, and ensure your secrets stay safe.<\/p>\n<h3 id=\"found-means-fixed\"><a class=\"heading-link\" href=\"#found-means-fixed\">Found means fixed<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h3>\n<p>\u201cPicture this,\u201d says GitHub\u2019s VP of Product Management, <a href=\"https:\/\/github.blog\/author\/ashac15\/\">Asha Chakrabarty<\/a>. \u201cYou receive a security alert, but instead of just getting guidance on how to do the fix yourself, you get an AI-generated fix right in your pull request. And this isn\u2019t just any fix, but a precise actionable suggestion that helps you resolve the issue faster and prevent new vulnerabilities from creeping into your codebase.\u201d<\/p>\n<p>Developers can try this kind of AI-powered remediation with the public beta of <a href=\"https:\/\/docs.github.com\/code-security\/code-scanning\/managing-code-scanning-alerts\/about-autofix-for-codeql-code-scanning\">code scanning autofix<\/a>. What makes it so powerful\u2014aside from the fact that it supports over 90% of the queries we have\u2014is that it provides both the findings and the fix, so developers can remediate vulnerabilities as they code. This means faster fixes, less context-switching, and more productivity. Not to mention more secure code.<\/p>\n<h3 id=\"doing-application-security-at-scale-with-ai\"><a class=\"heading-link\" href=\"#doing-application-security-at-scale-with-ai\">Doing application security at scale with AI<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h3>\n<p>We often hear that AI will democratize software development by making it easier for more people to write and understand code. The truth is, it already is. With AI-powered tools, more developers can write secure code faster.<\/p>\n<p>That democratization starts with learning, and AI can provide developers of all levels with AppSec knowledge. For example, when a developer gets a security alert, they can use AI coding tools in their IDE to figure out the issue (instead of having to interrupt their flow and search online for the answer). They can also learn how a particular security issue might arise by using AI tools to generate vulnerability examples tailored to their codebase.<\/p>\n<p>And new AI-powered AppSec tools aren&#8217;t just helping developers\u2014they&#8217;re helping security professionals, too. There are new products, for example, that offer overviews of repository and project security with actionable insights for administrators and simple ways to assign work across engineering and security teams. The more knowledge that can be shared and the more data your teams can study, the easier it\u2019ll be to address security findings and fine-tune your AppSec program as your organization grows.<\/p>\n<p>At GitHub, our newly released <a href=\"https:\/\/docs.github.com\/code-security\/security-overview\/about-security-overview\">security overview dashboards<\/a> make it simple for everyone from developers to administrators to get a clear view into their organization\u2019s security efforts, from historical trend analysis to your overall mean time to remediation. With these dashboards, you can easily gauge your security posture and filter data to find trends in dates, repositories, and more. If executives want to know how effective your remediation efforts are, you can tell them with just a few clicks.<\/p>\n<h2 id=\"where-we-go-from-here\"><a class=\"heading-link\" href=\"#where-we-go-from-here\">Where we go from here<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>Over the next five years, it\u2019s projected that 500 million more applications will be written. That\u2019s more applications than developers have created in the last <a href=\"https:\/\/www.cnbc.com\/2020\/04\/01\/new-microsoft-google-amazon-cloud-battle-over-world-without-code.html\">40 years combined<\/a>. With all this immense growth, security is only going to get harder if we keep forcing a shift-left mentality without addressing its critical pain points. Improving alert relevancy, speeding up remediation, and reducing friction are going to be key in keeping these applications safe, and AI will help us get there.<\/p>\n<p>What we really need to do to make developers love (or at least like) security is to meet them where they are and provide them tools they want to use. Liffen\u2019s goal: \u201cHopefully security will become so unconscious and frictionless in the developer workflow, security will just be the way developers work.\u201d<\/p>\n<div class=\"post-content-cta\"><p>Ready to harness our newly launched AI-powered security tools? <a href=\"https:\/\/docs.github.com\/code-security\/code-scanning\/managing-code-scanning-alerts\/about-autofix-for-codeql-code-scanning\">Learn more<\/a> or <a href=\"https:\/\/github.com\/features\/security\">get started now<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how. <\/p>\n","protected":false},"author":2049,"featured_media":76497,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"no","_gh_post_is_no_robots":"no","_gh_post_is_featured":"no","_gh_post_is_excluded":"no","_gh_post_is_unlisted":"no","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"Click Here to Learn More","_gh_post_recirc_hide":"no","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"_links_to":"","_links_to_target":""},"categories":[3334,91],"tags":[3241,2881,1955,2902,2585,2949],"coauthors":[2867],"class_list":["post-76493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application-security","category-security","tag-ai-insights","tag-appsec","tag-codeql","tag-devsecops","tag-github-advanced-security","tag-sast"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>AppSec is harder than you think. Here\u2019s how AI can help. - The GitHub Blog<\/title>\n<meta name=\"description\" content=\"In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AppSec is harder than you think. Here\u2019s how AI can help.\" \/>\n<meta property=\"og:description\" content=\"In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-06T18:19:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-19T19:46:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Eric Tooley\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Eric Tooley\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/\"},\"author\":{\"name\":\"Eric Tooley\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/89bab15382ce8355e8b6118a9b77b082\"},\"headline\":\"AppSec is harder than you think. Here\u2019s how AI can help.\",\"datePublished\":\"2024-02-06T18:19:05+00:00\",\"dateModified\":\"2025-05-19T19:46:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/\"},\"wordCount\":1664,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/Security-LightMode-1-1.png?fit=1200%2C630\",\"keywords\":[\"AI Insights\",\"AppSec\",\"CodeQL\",\"DevSecOps\",\"GitHub Advanced Security\",\"SAST\"],\"articleSection\":[\"Application security\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/\",\"name\":\"AppSec is harder than you think. Here\u2019s how AI can help. - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/Security-LightMode-1-1.png?fit=1200%2C630\",\"datePublished\":\"2024-02-06T18:19:05+00:00\",\"dateModified\":\"2025-05-19T19:46:45+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/89bab15382ce8355e8b6118a9b77b082\"},\"description\":\"In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/Security-LightMode-1-1.png?fit=1200%2C630\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/Security-LightMode-1-1.png?fit=1200%2C630\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/appsec-is-harder-than-you-think-heres-how-ai-can-help\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/github.blog\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Application security\",\"item\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"AppSec is harder than you think. Here\u2019s how AI can help.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/89bab15382ce8355e8b6118a9b77b082\",\"name\":\"Eric Tooley\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/13a9954b2f039441ff561a8d5ad61eabc0df30913efa3c0d6165543ef8ce1d69?s=96&d=mm&r=g22cab28eb226a9f8d2dd6fbdb03cd205\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/13a9954b2f039441ff561a8d5ad61eabc0df30913efa3c0d6165543ef8ce1d69?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/13a9954b2f039441ff561a8d5ad61eabc0df30913efa3c0d6165543ef8ce1d69?s=96&d=mm&r=g\",\"caption\":\"Eric Tooley\"},\"description\":\"Senior Product Marketing Manager\",\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/2ley\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"AppSec is harder than you think. Here\u2019s how AI can help. - The GitHub Blog","description":"In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/","og_locale":"en_US","og_type":"article","og_title":"AppSec is harder than you think. Here\u2019s how AI can help.","og_description":"In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how.","og_url":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/","og_site_name":"The GitHub Blog","article_published_time":"2024-02-06T18:19:05+00:00","article_modified_time":"2025-05-19T19:46:45+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png","type":"image\/png"}],"author":"Eric Tooley","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Eric Tooley","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#article","isPartOf":{"@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/"},"author":{"name":"Eric Tooley","@id":"https:\/\/github.blog\/#\/schema\/person\/89bab15382ce8355e8b6118a9b77b082"},"headline":"AppSec is harder than you think. Here\u2019s how AI can help.","datePublished":"2024-02-06T18:19:05+00:00","dateModified":"2025-05-19T19:46:45+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/"},"wordCount":1664,"image":{"@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png?fit=1200%2C630","keywords":["AI Insights","AppSec","CodeQL","DevSecOps","GitHub Advanced Security","SAST"],"articleSection":["Application security","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/","url":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/","name":"AppSec is harder than you think. Here\u2019s how AI can help. - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png?fit=1200%2C630","datePublished":"2024-02-06T18:19:05+00:00","dateModified":"2025-05-19T19:46:45+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/89bab15382ce8355e8b6118a9b77b082"},"description":"In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here\u2019s how.","breadcrumb":{"@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png?fit=1200%2C630","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png?fit=1200%2C630","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/security\/application-security\/appsec-is-harder-than-you-think-heres-how-ai-can-help\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/github.blog\/security\/"},{"@type":"ListItem","position":3,"name":"Application security","item":"https:\/\/github.blog\/security\/application-security\/"},{"@type":"ListItem","position":4,"name":"AppSec is harder than you think. Here\u2019s how AI can help."}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/89bab15382ce8355e8b6118a9b77b082","name":"Eric Tooley","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/13a9954b2f039441ff561a8d5ad61eabc0df30913efa3c0d6165543ef8ce1d69?s=96&d=mm&r=g22cab28eb226a9f8d2dd6fbdb03cd205","url":"https:\/\/secure.gravatar.com\/avatar\/13a9954b2f039441ff561a8d5ad61eabc0df30913efa3c0d6165543ef8ce1d69?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/13a9954b2f039441ff561a8d5ad61eabc0df30913efa3c0d6165543ef8ce1d69?s=96&d=mm&r=g","caption":"Eric Tooley"},"description":"Senior Product Marketing Manager","url":"https:\/\/github.blog\/author\/2ley\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2024\/02\/Security-LightMode-1-1.png?fit=1200%2C630","jetpack_shortlink":"https:\/\/wp.me\/pamS32-jTL","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/76493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2049"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=76493"}],"version-history":[{"count":8,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/76493\/revisions"}],"predecessor-version":[{"id":88104,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/76493\/revisions\/88104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/76497"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=76493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=76493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=76493"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=76493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}