TL; DR: DeepCode is an AI-powered code auditing and remediation tool that harvests data from thousands of open-source projects to detect and address critical vulnerabilities. The solution, a product of extensive academic research, delivers better code via deep analytics and is available to open-source software developers and commercial groups with up to 30 individuals at no cost. Moving forward, the DeepCode team plans to build on its strong foundation with added integrations and enhanced language support.
From the moment our smartphone alarms go off each morning, our daily routines are highly dependent on software. We ask Siri to turn on the lights, rely on GPS navigation software to find the best route to work, and spend all day in front of a computer interacting with the programs we need to do our jobs.
After work, many people get their nightly news or do some shopping via a smartphone app. And, as the day comes to a close, 71% of us fall asleep next to our smartphones.
But our reliance on technology doesn’t mean it’s foolproof. Software bugs are all too common, causing everything from minor nuisances to tremendous financial loss and even fatal accidents.
That’s why DeepCode is bringing the knowledge of the global academic community to the mainstream with an AI-based code auditing and vulnerability remediation tool. The system, based on years of cutting-edge research, uses machine learning concepts to gain knowledge from millions of commits made in hundreds of thousands of open-source software projects.
“Because the platform semantically determines not only syntax mistakes, but the intent of the code, it is capable of identifying far more bugs and security vulnerabilities than other tools, with fewer false positives,” said Frank Fischer, Developer Relations at DeepCode.
Open-source developers and commercial teams of up to 30 individuals can access the platform for free. Getting started is easy and requires zero configurations. All developers have to do is connect DeepCode with their GitHub, BitBucket, or GitLab accounts, and the tool will immediately begin to review each commit and identify issues. The company also had two plugins designed to help users detect bugs and quality issues: Visual Studio Extension and Atom Package.
With roughly a decade of research under its belt, DeepCode will continue to build upon its strong foundation, offering new integrations and expanding language support as needed.
A Scientific Approach to Code Auditing and Vulnerability Remediation
DeepCode, based in Switzerland, is conceptually rooted in academic research on static program analysis conducted at the globally renowned technical university ETH Zurich. Collectively, the team has extensive research and development experience in both AI and programming systems.
“In 2016, Co-Founders Boris Paskalev, Martin Vechev, and Veselin Raychev came together with a lot of knowledge in this space and decided to set up the company,” Frank said. “They were less driven by the idea of market domination and more driven by the chance to democratize the technology.”
Four years later, the company has retained its scientific approach. Frank told us that about three-quarters of the team, which is still very much a startup, boasts rigorous educational backgrounds. Most are ETH Zurich graduates or professors, though some hail from other prestigious universities, such as MIT. Veselin, now CTO, was also an engineer at Google before pursuing his Ph.D. at ETH Zurich.
From the start, DeepCode’s mission has been to use powerful AI and machine learning techniques to improve the way developers create programs. Identifying bugs and providing remedies before they become a problem in the production stage helps developers fulfill their potential and deliver high-quality products more quickly.
According to DeepCode, the platform’s machine learning algorithm detects the intent of submitted code with 90% precision and notifies users of 10 times more critical security issues and vulnerabilities than other solutions. The company’s algorithms are continually trained on new bug fixes using countless open-source repositories and millions of version-control commits.
“DeepCode is an amazing product and has helped me write better code and catch errors before they are released into the wild,” DeepCode user Brent S. stated in a testimonial on the site. ”It’s certainly an integral part of my workflow.”
Delivering High-Performance, Secure Code via Deeper Analytics
At the heart of DeepCode lies in a sophisticated technology solution known as static program analysis that bridges two types of artificial intelligence: symbolic and subsymbolic.
“DeepCode uses both sides — the symbolic AI rooted in the typical way a code analysis is done, as well as a mechanism to use open-source repositories,” Frank said. “We are harvesting GitHub, for example, to get training data that we are then using by means of subsymbolic AI to build rule sets in the symbolic AI.”
When a code change is detected in an open-source project, the DeepCode system attempts to understand what happened and why it happened — and, if necessary, come up with a new rule applicable to all projects.
DeepCode is different than other automated code auditing solutions in that it can build arguments that explain why the network is reacting in a certain way. This allows the system to identify critical vulnerabilities that other review systems cannot, such as SQL injections, cross-site scripting, and path traversal attacks. Frank said this is precisely the type of information developers are looking for.
“DeepCode provides you with argumentation — it says, for example, ‘We see that you have a SQL injection here because we saw that data was coming in by this function and it was flowing through your application on this route. Then it was used in this SQL query here, and in between, it was not sanitized. That’s the reason why we say you have a possible SQL injection here.’”
Catering to an Open-Source Software Community
DeepCode is proud to offer its platform for free when used on open-source projects, such as repositories and libraries. Recently, the company announced it would extend its free license to any team smaller than 30 people.
“That makes us quite competitive when you consider that comparable offerings from other vendors can cost thousands,” Frank said. “We want to make it as easy as possible to access the system.”
Expanding the DeepCode user base also works in the interest of the company, which will use customer feedback to improve the tool from an internal development perspective. Frank said DeepCode plans to employ two feedback loops for that purpose — one for the team working on the toolsets, user interface, and integrated development environments (IDEs) and one for the developers working under the hood on core elements.
The methodology mirrors agile software development, a flexible, incremental approach where solutions evolve through continuous collaboration between teams. Using this model, developers will be able to implement small changes in the first feedback loop without having to wait on all features (including time-consuming ones that affect the core engine) to be developed and delivered at once.
That said, the company is not actively recruiting customers at this stage. “But we still receive calls from companies asking to buy the product,” Frank said. “It’s the optimal situation for a startup, knowing that your customers are knocking on the door and asking for the product to be sold.”
Building On a Foundation: Enhancing Access via Integrations
In the grand scheme of things, Frank said DeepCode’s mission is only about 1% complete.
“We spent a lot of time in the past two and a half years building the fundamentals, and now we want to build on top of those basics,” Frank said.
Investors will have some say in the future of the platform. In 2019, the company received $4 million in seed funding in a round led by Earlybird with participation from Btov Partners and 3VC.
“This has created a very cozy situation in a way because we bootstrapped the initial version of the tool, but we also have investors close by who are excited to support us in our journey ahead,” Frank said.
Users are invited to test the technology using their own repositories or pre-built demos on the DeepCode site.