To me, the value of an ML tool would be in the step after we run things through static analysis (e.g. linters for bad coding practices, SCA scans for known CVEs) and before we send this off to our security team for an internal audit and pen test. It would be a tool that we add to our existing tool set, so that we can catch issues earlier, rather than something to replace our pen testers.
Even if you do have some authoritative curation of resources, it's difficult for dev teams to consume it. And even for those who do understand security, it requires a lot of tedious work to check through. I wish it weren't the case, but the reality is that most teams don't have the specialist skills or the motivation to grind away at this for a significant chunk of their time.
Even if you do have some authoritative curation of resources, it's difficult for dev teams to consume it. And even for those who do understand security, it requires a lot of tedious work to check through. I wish it weren't the case, but the reality is that most teams don't have the specialist skills or the motivation to grind away at this for a significant chunk of their time.