Automation tools help with many of these tasks, but there's still a significant manual workload. For the first time, I experimented with AI to assist in the routine manual parts of the process - and the results were surprisingly good. Unfortunately, I couldn't find existing AI tools designed for this specific purpose.
In any case, I built a few AI-driven pipelines to streamline security checks. Here's a quick overview:
Injection Pipeline:
1. Identify user inputs
2. Check validations and data formats
3️. List potentially malicious inputs
4️. Trace how inputs are used
5️. Verify escape mechanisms
6️. Detect potential injection risks
Authentication Pipeline:
1️. Map all APIs and endpoints
2️. Identify required access levels
3️. Compare with documentation
4️. Highlight potential access control issues
The results?
I didn't fully trust the AI yet, so I probably didn't save time this round. But looking ahead, I see huge potential for making audits faster, more efficient, and - most importantly - less repetitive. That's a win in my book!
We're also using similar AI pipelines in QA to catch issues that static code analyzers struggle with.
