How we’re making app security smarter

Transforming app security with AI-powered static analysis

How do you secure code produced by 400+ developers with a five-person team? It's a challenge application security engineers at fast-growing tech companies know well. Traditional manual code reviews and basic rule-based scanning simply can't keep up with development velocity.

In highly regulated industries with strict compliance requirements (like SOC2), developers often find themselves running detection rules, but still face the risk of potentially missed vulnerabilities. Even when issues are detected, remediation often stalls when developers receive comments that identify problems without clear guidance, and excessive false positives place strains on both developers and security teams.

That's now changing thanks to AI-powered static analysis. With Semgrep's AI-enhanced platform, our team has discovered what the future of application security looks like: smarter, more contextual, and truly collaborative.

The AI Analysis Breakthrough

What brought our team to Semgrep was its AI-powered analysis capabilities. It's precise, contextual, and developer-first. While many vendors merely theorized about what AI can do, Semgrep demonstrated a genuine understanding of its potential to transform code analysis.

The results have been immediate. With Semgrep, we've achieved something that once seemed impossible: scaling security coverage across hundreds of developers without adding friction.

Moving Beyond Pattern Recognition

Beyond filtering false positives, Semgrep changed how our developers interact with security findings.

What sets it apart is specificity. Semgrep’s AI assistant generates tailored solutions for the exact code being reviewed. This significantly increases developer adoption and remediation rates since the path to resolution is clear and immediate.

In one instance involving potential SQL injection vulnerabilities, the AI assistant correctly identified the input validation was occurring further downstream in the execution path. It understood and identified the full context of how the code operated rather than simply pattern-matching against unsafe database queries.

This level of contextual analysis goes far beyond traditional pattern recognition to actually comprehend code flow and security implications across multiple functions. It meets developers where they are, integrating security into their natural workflow.

Making Security Tools Smarter

One of the most impactful AI features has been Semgrep Memories – a system that learns from our security decisions and applies that knowledge to future scans. The implementation is remarkably simple. All it takes is clicking 'new memory' and adding a description rule of the context or pattern you want the system to recognize.

In just a short implementation period, our 12 active memories have:

  • Analyzed 630+ security findings
  • Identified 397 likely false positives (reducing their frequency by 62%)
  • Prevented 38 PR comments

Each one of these is a friction point that never materialized. The system even demonstrates proactive intelligence through suggested memories, where the AI recommends new memories based on patterns observed across the codebase, increasing its accuracy over time.

Looking Ahead

Our team sees AI continuing to evolve beyond detection and triage to become more prescriptive and preventative. We envision an AI capable of actively helping developers understand secure patterns specific to their coding style and application architecture.

What's most promising is how AI could elevate the role of security. With immediate routine checks and built in contextual guidance, security teams can engage earlier and more effectively.

The AI AppSec Revolution

Our experience illustrates a broader transformation happening across the application security industry. AI isn't just making things more efficient, it's enabling entirely new approaches to application security that are more intelligent, collaborative, and effective.

For companies operating under strict regulatory requirements, AI-powered application security is a turning point. It offers the precision needed for ensuring regulatory compliance while providing the speed necessary for competitive software delivery.

The future of application security goes beyond finding more vulnerabilities. It's about finding the right vulnerabilities, providing actionable guidance, and strengthening our security partnerships.

 

...

Written by Solomon Serry, Software Developer

Interested in working at Wealthsimple? Check out the open roles on our team today.

Share

Get updates in your mailbox

By clicking "Subscribe" I confirm I have read and agree to the Privacy Policy.

About Wealthsimple Engineering Blog

The content on this site is produced by Wealthsimple Technologies Inc. and is for informational purposes only. The content is not intended to be investment advice or any other kind of professional advice. Before taking any action based on this content you should consult a professional. We do not endorse any third parties referenced on this site. When you invest, your money is at risk and it is possible that you may lose some or all of your investment. Past performance is not a guarantee of future results. Historical returns, hypothetical returns, expected returns and images included in this content are for illustrative purposes only. Copyright © 2024 Wealthsimple Technologies Inc.

Contact

www.wealthsimple.com