JFrog
By Shachar Menashe
The introduction of agentic security researchers marks a powerful advancement in application security. These tools transcend traditional static analysis by leveraging Large Language Model (LLM) reasoning to understand code behavior and context, effectively mimicking the analysis of a human expert.
While these agents are a useful addition, they are not a complete solution. They primarily focus on source code analysis after it is committed, often overlooking the broader security posture of the deployed software, including compiled code and its full set of third-party dependencies. Furthermore, they do not yet match the expertise of trained security researchers, resulting in limited visibility to address all supply chain risks effectively.
This gap highlights the need for a holistic security paradigm that addresses risks across the entire software supply chain. JFrog advocates for a multi-layered, end-to-end strategy: a comprehensive solution that mitigates all types of security risks at every stage of development, backed by human expertise to ensure resilient software and build trust with every deployment.
End-to-End Security
Security isn’t a single point-in-time check; it’s a continuous effort from the moment source code is written until the artifact is deployed into production. Focusing on source code only, with or without LLMs, can introduce huge blind spots that can significantly impact the software’s security. For example, our recent discovery where leaked PyPI secret tokens were found embedded in binaries proves that even "clean" source code can introduce one of the biggest supply chain risks when those secrets make their way into public Docker images.
Supporting All Types of Security Threats
Looking for zero-day vulnerabilities by scanning source code alone is insufficient. This method entirely bypasses high risks stemming from integrating third-party dependencies into your code, which include both known vulnerabilities and malicious packages. Dependencies are typically a primary target for attackers, which is why it’s crucial for companies to track those risks and actively work to reduce the number of high-severity vulnerabilities in their code to prevent malicious packages from entering their software.
Human Security Researchers
AI Static Application Security Testing (AI SAST) is an unproven method that uses AI, machine learning, and large language models to enhance traditional static code analysis for identifying security vulnerabilities. To date, no major, high-profile CVEs have been detected or reported solely using AI tools. The question is not whether or not these AI tools can find vulnerabilities—they can—but whether they can effectively find sophisticated vulnerabilities the same way human, trained research professionals can, at a time when the systemic nature of software supply chain attacks is growing more complex.
While agentic security research tools are not there (yet), they do offer valuable complementary insights and should be embraced. However, we believe only a centralized platform that covers the entire software supply chain—from code creation through binary deployment—capable of tracking all dependencies, mitigating every type of risk, providing governance, control, and binary protection that is backed by human security expertise, is essential for battling today’s threat landscape.