Managing software security risk is a high-stakes race that’s getting harder to win. Enter Veracode Fix: the intelligent remediation solution that helps you pay down security debt at scale and deliver more secure software, faster, for less effort and cost. Leveraging a GPT-based machine learning model trained on Veracode’s proprietary dataset, Veracode Fix is a specialized AI trained by deep machine learning that excels at fixing insecure code and dramatically reduces the work and time needed to remediate flaws.
The Problem: Creating Flaws Faster than We Can Fix Them
Software security flaws are created faster than they are fixed. Many factors contribute to this – from the number and complexity of applications to the growth of applications over their lifetimes. The net effect is that security debt is growing. And, like any debt, it can only be deferred so long and accrue so much before it manifests in significant financial, strategic, and security consequences.
Remediation capacity has only improved incrementally in contrast with exponential increases in development productivity. Modern software development techniques – like the use of third-party libraries, microservices, automation, and other factors – have increased development productivity, while incremental improvements in flaw remediation capacity are widening the gap and causing security debt to grow. The reason for this is simple: software is created with automation but (to date) has been fixed with manual remediation.
With the advent of generative AI and companion coding comes a need to consider the security implications of this revolutionary innovation. Machine learning models are only as good as the data and training they learn from. Since the majority of software scanned in the last twelve months is insecure, it follows that models trained on an unfiltered set of software will replicate these insecurities. The risk here is that the techniques that make developers more productive see them producing insecure software at a time when security efforts are already struggling to keep pace. There is a clear and present need for solutions that can keep up with the pace of development and rate of flaw introduction. Organizations need to find a solution that ticks all the boxes when it comes to striking a balance between nurturing, leveraging, and keeping pace with technological advancements.
Fortunately, AI is not only changing how we create software, but how we secure software as well.
The Solution: Bringing Automation to Flaw Remediation
Scanning tools find flaws. Historically, the onus has been on developers to manually fix those findings. One huge struggle between security and development teams has been prioritization of flaw remediation against other items in the developer’s backlog, as well as the pressure to deploy production code. Oftentimes organizations choose to accept the risk, which compounds over the lifetime of the app. As new features are added, new flaws are created – often at a faster rate than they are fixed – leading to security debt accrual. Developer and security teams have a persistent ask: make it possible to manage security debt at scale by scaling the ability to remediate flaws.
Veracode Fix delivers this. Unlike scanning tools that only find flaws, Veracode Fix generates secure code patches developers can review and implement to remediate security flaws, without manually coding a fix. With Veracode Fix, developers can reduce both the introduction of flaws and vulnerabilities in code and also the accumulation of security debt over the lifetime of an application.
Practical AI: Security-Specialized Machine Learning
Veracode Fix is a security-specialist machine-learning solution that uses the same transformer architecture on which ChatGPT is built. But the learning model is only one-third of a machine-learning solution. Just as (if not more) important are the data and training. Veracode Fix is trained on a highly-curated, proprietary dataset with alignment research from a team of security experts to excel at flaw remediation tasks.
This means Veracode Fix can augment developer-led remediation at scale by generating secure code fixes for insecure software. Veracode Fix alleviates workloads and reduces mean time to remediate (MTTR). This means organizations can fix more security flaws, in less time, using fewer development resources.
The benefits of intelligent remediation are significant. With initial coverage for Java and C#, Veracode Fix brings remediation at scale to a majority of Veracode customer applications, and to a carefully prioritized set of static analysis findings within those applications. Looking at all Veracode Static Analysis findings for Java applications, Veracode Fix generates recommended fixes for 72% of those findings. By reducing the time and effort required to fix flaws, organizations can improve security posture and lower risk, accelerate time to market and compliance, and realize operational efficiencies. This means more capacity to innovate and focus on creating – rather than fixing – software.
Available June 2023
Veracode Fix will be generally available in June 2023 with initial support for Java and C#. Visit the Veracode Fix page to learn more.