Powering DevSecOps with ChatCVE

Hello, LinkedIn community! 

I’m introducing the ChatCVE Lang Chain App, a groundbreaking devSecOps-AI MVP designed to make cybersecurity data accessible and empowering for everyone on the team. With the rising complexity and growing focus on software supply chains, keeping our systems secure is no longer just an IT Department or CISO's job. Bolstered by recent and upcoming Federal Guidance, it's also abundantly clear that a shared responsibility model extends to everyone in the organization, including Audit, Compliance teams, and even non-technical staff and partners.

So, the question must be asked: How can AI democratize our security findings data so that all team members are empowered to take immediate action without waiting for data or struggling with UIs? Our application leverages the power of Artificial Intelligence and Natural Language Processing, making organizational cybersecurity findings universally comprehensible and accessible. Through the new ChatCVE AI engine, we aim to bridge the gap between complex Secure Software Supply Chain & Zero Trust requirements for the teams that must implement and audit them. 

A New Way to Triage DevSecOps Findings

ChatCVE, powered by the Langchain Project, simplifies the process of extracting and analyzing Common Vulnerabilities and Exposures (CVE) information. In plain English (or any language of your preference), you can ask our AI, "Which application has the most critical vulnerabilities?" and it will return accurate results, without you or another team member needing to sift through mountains of SBOM data or master intricate SQL query languages. 

By translating your requests into SQL queries, the application can efficiently scour your Software Bill of Materials (SBOM) repositories for relevant information. It goes beyond passive querying, as well, offering proactive assistance to help identify potential areas of concern and making auditing efforts more efficient.

Practical Uses for Diverse Teams 

Chat-CVE offers value for a range of team members across an organization. Immediate access to findings data in any language allows anyone to act immediately on queries.

⭐ Security Analysts: Now, you can find detailed CVE information quickly, without dealing with complex databases to quickly address issues. 

⭐ Audit Teams: You can efficiently target your auditing efforts, ensuring compliance with relevant security standards. 

⭐ Compliance Teams: With the documentation and usage tracking provided by the application, you can make sure all known libraries are accounted for when defining attestation. 

⭐ Development Teams: Triage suggestions are directly available, helping you tackle vulnerabilities at their root.

Simplified Workflow for DevSecOps

This application isn't just about bringing critical information to your fingertips; it's also designed to fit seamlessly into your organization's #shiftleft DevSecOps strategy. The image below shows where Security Scans can be inserted before a merge request. This, along with rigorous hardening of other endpoints like image registries; offer a 'closed loop' approach in an overall shift-left security strategy. We seed our databases with this scan data along with the endpoints.

Once you clone the Lang Chain App repository, you can simply set up a Python environment, install the requirements, and then you're ready to go! The application takes care of creating the necessary databases and populating them with your SBOM and CVE data. 

Setup is easy, and requirements are straightforward:

The Power of AI in Action

Chat-CVE is more than just a chatbot #mvp - It offers a glimpse into the future of cybersecurity, where AI-driven applications can parse vast amounts of data, surface insights, and respond to human language queries.

For example, you could ask about the number of critical records or the most vulnerable images. Human language requests are translated with ease:

Enter a question or type 'exit' to quit: How many IMAGE_TAG records are there that are Critical

> Entering new AgentExecutor chain...
Action: list_tables_sql_db
Action Input: ""
Observation: app_patrol, nvd_cves, sqlite_sequence
Thought: I should look at the schema of the app_patrol table to see what columns I can query.
Action: schema_sql_db
Action Input: "app_patrol"
Thought: I can query the IMAGE_TAG and SEVERITY columns to get the number of Critical records.
Action: query_sql_db
Action Input: SELECT COUNT(*) FROM app_patrol WHERE SEVERITY = 'Critical' AND IMAGE_TAG IS NOT NULL
Observation: [(246,)]
Thought: I now know the final answer
Final Answer: There are 246 IMAGE_TAG records that are Critical.


> Finished chain.?        

Join Us on this Journey 🚀

Our mission with the Chat-CVE Lang Chain app really is to make Cybersecurity data accessible to everyone; because Secure Software Supply Chains are a Team's duty. The bottom line for using AI with the key findings data is this...

Enlisting and Empowering all team members, regardless of their technical skills, is key to fostering a secure and resilient digital infrastructure.

I welcome feedback, ideas, and experiences that you would like to share. After all, security is everyone's job. Please message me to discuss adding a fully managed & secure AI layer to aid in Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012, 7019, and 7020 for your organization.