RSAC 2026 USA: Sonar VP Jeremy Katz Emphasizes Need to Shift Code Security Before CI

2026-03-28 10:24

Keywords:

Favorite

en.Wedoany.com Report on Mar 28th, At RSAC 2026, Jeremy Katz, Vice President of Code Security at Sonar, shared the perspective that code security must be advanced to a stage before CI. As AI-assisted and agent-driven development becomes mainstream, the checkpoints in traditional CI/CD pipelines are struggling to identify risks early.

Katz pointed out: "The biggest gap right now is before the code enters CI. Developers and AI agents generate code at high speed. Without prior validation, vulnerabilities can easily accumulate." He emphasized that security needs to intervene early in the lifecycle, with real-time checks during coding.

Software supply chain attacks have intensified the risks. Katz mentioned the increase in incidents where open-source dependencies like npm packages are compromised, allowing malicious code to spread through trusted channels. Sonar introduced automated malicious package detection in SonarQube Premium Security Edition, providing guardrails for AI-driven workflows.

The rise of AI-generated code further expands the risks. Sonar research shows that coding models produce insecure code faster than manual review can keep up. Katz stated that while AI can accelerate development, improper management can amplify risks, which prompted Sonar to propose the concept of the Agent-Centric Development Cycle (AC/DC).

The AC/DC model shifts from traditional continuous integration to AI-driven development, where agents generate large blocks of code, increasing the risk of early error accumulation. Its structured loop includes Guiding, Generating, Validating, and Resolving, with validation becoming indispensable.

Katz emphasized that human oversight remains crucial: "AI cannot fully replace human judgment, especially in understanding business logic and risk tolerance." Sonar's tools, such as the SonarQube CLI, support real-time code analysis, scanning for vulnerabilities locally and in CI/CD pipelines, reducing false positives to build trust.

Katz concluded: "Security cannot be an afterthought; it must be embedded in every stage, starting before CI." The ability to generate, validate, and protect code in real-time is becoming key to successful software development.

America

Information and Communication Artificial Intelligence Engineering

This bulletin is compiled and reposted from information of global Internet and strategic partners, aiming to provide communication for readers. If there is any infringement or other issues, please inform us in time. We will make modifications or deletions accordingly. Unauthorized reproduction of this article is strictly prohibited. Email: news@wedoany.com

Previous：US FCC Spectrum Auction Imminent, SpaceX Applies to Participate to Enhance Starlink Mobile Service

Next：Walldorf, Germany, and Redwood City, USA, March 27, 2026 - SAP Announces Acquisition of Reltio to Strengthen AI Data Readiness Capabilities