German application security testing startup Code Intelligence GmbH today announced what it says is the first fully autonomous artificial intelligence-powered “test agent” that can find bugs and vulnerabilities in unknown code.

It’s called Spark, and the company reckons it’s the first AI agent of its kind to identify a real-world vulnerability within a popular open-source software by automatically creating and running a test.

According to Code Intelligence, Spark is meant to automate the software testing process fully, and to that end it not only identifies bugs, but also tries to remediate them by fixing the broken code. In this way, Spark can dramatically lower the barrier to entry for developers looking to employ advanced security testing techniques such as white-box fuzz testing, which traditionally rely on human expertise.

Code Intelligence said its beta tests show Spark can save up to 1,000 hours of manual effort on average when testing a codebase with 100,000 lines of code.

To showcase the capabilities of Spark, the company used it to scan WolfSSL, which is an open-source cryptography library that’s widely used in internet of things systems and embedded devices. All that was required to do this was for a human to run a single command to launch the AI test agent, and from there it did everything else by itself.

Spark began by analyzing WolfSSL’s codebase, then generated a relevant test case based on that analysis, before running the test. It soon spotted a vulnerability known in the coding industry as a “heap-based use-after-free,” which can cause unexpected behavior and system failures and potentially open the door to security exploits.

Code Intelligence immediately made the vulnerability known to WolfSSL’s team, which quickly issued an update to fix the problem in December.

Code Intelligence Chief Executive Eric Brueggemann said this test case proves the ability of AI to aid humans in tasks that require significant expertise. “AI can effectively take over manual tasks in software testing, such as analyzing code, identifying the most likely attack vectors, generating and running tests, and can thereby yield great results,” he said.

That’s already a pretty significant achievement, but Brueggemann intends to build on that by teaching Spark to fix any of the bugs it uncovers automatically, so as to automate the entire software testing process and complete it in just a few minutes.

“Humans will continue to make the final decisions,” he added. “We will provide automatically generated pull requests with a proven fix for identified vulnerabilities directly in the CI/CD pipeline.”

Holger Mueller of Constellation Research Inc. said Code Intelligence is building on the autonomous capabilities of AI agents by giving them the smarts required to identify tasks that need to be completed by themselves. And it’s applying this to a use case that desperately needs improvement.

“Code testing has long been a tedious and time-consuming task and this segment of the software market has traditionally also been under-funded, resulting in lower quality software that’s littered with bugs,” the analyst said. “As a sub discipline within software testing, fuzz testing has been underutilized as it requires the creation of numerous tests for each piece of software. That makes it an ideal use case for generative AI, and it’s good to see this innovation, which has the potential to transform software development practices.”

Spark has already been put into action by a number of companies, including the software engineering firm Vector Informatik GmbH. Andreas Lackner, a senior software development engineer at Vector, said he was thoroughly impressed by Spark’s capabilities. “By reducing the manual effort for creating and integrating fuzz tests, we are able to bring our cycle times down and further improve the quality of our embedded software,” he said.

Code Intelligence says it’s planning to host an official launch event for Spark Jan. 28, where guests from the Mozilla Foundation and Continental AG will talk about how they’ve been using it to enhance their software testing programs.

Image: SiliconANGLE/Meta AI