/jun 28, 2023

How to Measurably Reduce Software Security Risk with Veracode Fix

By Devin Maguire

Veracode Fix is now available as an add-on to Veracode Static Analysis for customers on the North American instance. Availability for customers on Veracode’s EMEA and FedRAMP instances will be coming soon! 

From nearly two decades of securing software, we know that fixing flaws, not just finding them, is what makes a profound impact on security posture. However, fixing flaws is one of the greatest challenges teams face when it comes to application security...until now. Veracode Fix marks a major leap forward in software security; it shifts the paradigm from application security testing tools that find flaws to intelligent solutions that generate fixes. Here’s how you can save time and secure more with AI-generated fixes developers can easily review and implement without manually writing any code.  

The Problem: Too much time. Too little security. 

If we look at the current remediation workflows, developers are often asked to spend time they don’t have, fixing flaws they don’t understand, many times in software they didn’t even create. Not only does this take hours of effort, but there are far more flaws than time and capacity to fix them.  

The vast majority of security findings are deferred and persist for months. In those months, more flaws are created – often faster than old ones are fixed. This means despite tremendous time, effort, and resources spent on remediation today, developers will have to spend even more time and effort fixing security issues in the future. It also means risk is increasing and productivity decreasing at a time when threat and competitive landscapes are more severe than ever. 

To quantify the challenge, let’s look at some statistics: 

  • 25 percent: the average percentage of static analysis security findings developers can address in a month

  • 243 days: the average half-life of Java flaws (the time it takes to address 50% of findings) 

  • 56 percent: the percent of Java applications with increasing technical security debt over time 

These statistics show that we are good at finding flaws, but the remediation of these flaws (which results in more secure software) has been too cumbersome to be feasible. Developers and security teams are spending too much time to achieve too little security. Veracode Fix changes this. 

The Solution: Save time. Secure more. At scale. 

Veracode Fix shifts the paradigm in software security from finding flaws to fixing them. Unlike tools that only scan code, Veracode Fix takes the critical next step to generate secure code patches developers can review and implement without writing any code.  

Watch this quick demonstration to see Veracode Fix in action. 

The benefits of Veracode Fix are game changing. Just with initial coverage for Java and C#, Veracode Fix brings AI-generated fixes to a majority of customer applications with coverage for 74% of Java static analysis findings on average. That means nearly 3 out of 4 Java flaws in your proprietary code can potentially be fixed without manually writing any code.  

This degree of automation is transformative. With Veracode Fix, you can increase remediation capacity, reduce mean time to remediate, pay down technical security debt, prevent flaw introduction, and ultimately accelerating secure development and reduce risk all while alleviating workloads and increasing productivity. It may sound too good to be true, so here’s how we went about creating this very real, very incredible solution. 

How it Works: Responsible AI by Design

Veracode Fix is the power of Veracode’s proprietary data from 17 years of securing software at your fingertips – our proprietary data and expertise encapsulated in a machine learning solution and delivered in a powerful and responsible generative AI solution.  

From a user’s perspective, when a flaw is found with Veracode Fix support, a developer selects the flaw, Veracode Fix generates one or more fixes, and the developer can review and implement a fix without manually writing a single line of code. Veracode Fix does not automatically change code. There is always a developer in -the- loop to review and implement recommendations. 

On a technical level, Veracode Fix uses a GPT large language model trained on a fully proprietary and curated dataset with supervised learning and alignment from Veracode’s team of expert security researchers.  

Most large language models and generative AI coding tools are trained on open-source, public, and/or customer data. In addition to the licensing and legal concerns about your company’s intellectual property going out publicly into these AI models, this has security implications as well. Most software is insecure. Generative AI models trained on most software emulate those insecure coding practices. In contrast, Veracode Fix takes a highly considered and responsible approach to the training dataset, the handling and protection of customer data, and the supervision and alignment of the model.  

Veracode Fix Intelligent Remediation Engine Diagram

Regarding the training dataset, Veracode Fix is trained on a fully proprietary, curated dataset of reference patches sourced from our team of expert security researchers. Veracode does not use open-source code, code in the wild, or customer data to train the model. Veracode Fix handles customer data with the highest responsibility encrypting data in transit and discarding it immediately after generating fix suggestions. To train the model, Veracode leverages our team of security researchers to provide supervised training and alignment, so Veracode Fix delivers secure code patches with high reliability, repeatability, and confidence.  

A security mindset is not just asking if a solution does what it should do. It’s critiquing whether it does what it should NOT do. This is foundational to Veracode’s identity. Veracode has a legacy of securing customer software and building trust in new technologies as the pioneer SaaS vendor for application security testing. Veracode Fix continues that legacy by building trust in generative AI.  

The journey to deliver Veracode Fix started four years ago when leadership posed the question: “What is the most important challenge in application security?” The answer was simple - fixing security findings. Solving that challenge, however, was anything but simple. Four years, a technology acquisition, and countless hours later, Veracode has navigated the hard path to deliver a responsible solution that solves the problem without creating or trading it for a new one. This is the only way to successfully shift the paradigm in software security from find to fix.  

Moving Forward

Today marks a leap forward in the mission to save developers time and secure more with the power of Veracode Fix and AI-generated secure code patches. And the journey ahead is clear: expanded support for additional languages, coverage for additional CWEs, and embedding Veracode Fix throughout developer workflows and tools to fix flaws wherever they are created and found.  

Join us on this journey to a more efficient, productive, and secure future. Schedule a Veracode Fix demo today

Veracode Fix Promo Image with Code

Related Posts

By Devin Maguire

Devin is a Sr. Product Marketing Manager helping customers confidently deliver secure software faster by placing developers and security practitioners at the fulcrum of Veracode’s product positioning and messaging.