/dec 14, 2023

What Our Security Experts Discussed at AWS re:Invent 2023

By Natalie Tischler

The landscape of coding is changing as developers embrace AI, automation, microservices, and third-party libraries to boost productivity. While each new approach enhances efficiency, like a double-edged sword, flaws and vulnerabilities are also introduced faster than teams can fix them. Learn about one of the latest innovations solving this in a recap of what our security experts discussed at AWS re:Invent 2023. 

Veracode Fix: A Game Changer in Flaw Remediation for Developers

During their AWS on Air segment, our experts, Vice President of Strategic Product Management, Tim Jarrett, and Senior Solutions Architect, Eric Kim, shared how Veracode Fix is a new game-changing tool that helps developers cut down the flaw remediation process from months to minutes. 

Leveraging the power of AI, the tool allows developers to easily reduce security issues by generating suggested fixes for existing code that is flawed and vulnerable.  

While many AI-powered coding tools are designed to help write code, Veracode Fix is specially designed to fix vulnerabilities and security risks in code, changing the way your organization and developers pay down security debt. The ability to scale and tackle security issues lightning-fast allows your teams to deliver secure software faster while saving resources and costs. 

How Veracode Fix Works 

Veracode Fix harnesses a GPT-based machine learning model trained on our proprietary dataset that comprises 17 years of analysis in the application security industry. From this knowledge base, the AI generates code patches that developers can review and select from to remediate security flaws. Fixes are implemented almost instantly without manually writing a single line of code. 

Tim explained that the process starts by taking the results of scans. The AI then isolates the insecure code (almost treating it as a prompt) and identifies the type of flaw or vulnerability before suggesting one or more fixes for developers to choose. 

Generated fixes by the AI must meet three essential criteria:  

  1. It should compile successfully after the application  

  1. Fixes must be secure and generated from Veracode's exclusive dataset  

  1. It should effectively remediate the flaw without triggering an alert from the scanning tool during pipeline execution 

Ensuring Reliability and Customer Data Security 

Most language models and generative AI coding tools are trained on insecure open-source libraries, public, and/or customer data. This raises concerns from licensing and legal issues to the protection of your company's intellectual property, not to mention security risks

However, Eric points out that Fix is solely trained on data gathered from Veracode’s long legacy of tried-and-true security practices that continues to grow and improve each year. This includes carefully designed and supervised 'master patches' by security experts in Veracode. 

The high level of consideration in developing the AI model's knowledge base ensures that Veracode Fix is responsible by design. Tim explains it not only removes the possibility of an intellectual property leak but ensures high reliability and security in delivering fixes. 

Empowering Developers and Your SDLC With Veracode Fix

Developers are frequently ragged on for their perceived lack of concern regarding code security, but from his conversations with developers over the years, Tim says the opposite holds true. However, when faced with multiple deadlines, the last thing any developer wants to see is the considerable security debt that is about to throw their schedules out the window.  

With Veracode Fix, developers can more easily address security debt as they know they have the power of AI to generate fixes quickly. 

To remediate flaws faster and reliably for a secure future. You can learn more on Veracode Fix here. 

Related Posts

By Natalie Tischler

Natalie Tischler believes in a world where software is built secure from the start. She writes content for Veracode that focuses on empowering harmony between Security and Development teams.