The open-source project Isitsecure has been introduced, which integrates static (SAST) and dynamic (DAST) analysis, as well as code auditing via LLMs, into a single workflow. The tool's uniqueness lies in the automatic generation of DAST tests based on static analysis findings to verify the real exploitability of vulnerabilities.

image

What Happened

Isitsecure has been released—a tool for comprehensive web application security scanning with a single command. It implements the concept of "SAST-defined DAST," where static analysis results automatically form a dynamic testing plan. The system also includes code auditing using Large Language Models (LLMs) for deeper analysis.

Context

The project is a response to the growing popularity of "vibe coding"—a method of rapid development using AI assistants, which often leads to the creation of insecure code by default. The tool aims to create a closed-loop security cycle, linking various analysis methods into an automated workflow.

Why It Matters for the Industry

Isitsecure offers a new automation pattern for DevSecOps, lowering the barrier to entry for security processes. This allows small teams and individual developers to implement automated vulnerability verification, which in the long term could contribute to the formation of security-as-code standards, where LLMs act as the connective tissue between different types of analysis.

Why It Matters for Users

Developers using AI tools gain access to a fast and affordable way to check their applications for critical flaws, such as XSS, SQLi, and IDOR, directly during the iterative development process, without requiring deep expertise in information security.

What Is Not Yet Known / Limitations

For enterprise use, additional verification of data handling mechanisms and the effectiveness of false positive management is required.

Sources

Author

Look at AI, Editorial Team