/mar 30, 2023

We’re Good at Finding Security Flaws, But What About Fixing Them?

By Devin Maguire

Technology is a double-edged sword. On one hand, it can make new experiences possible and elevate productivity. On the other hand, it introduces new threats and attack vectors; and it can widen the gap even further between our ability to produce software and our ability to secure it. Getting faster at creating and finding security flaws does not make us faster at fixing them; data shows us that one in four vulnerabilities remain open well over a year after first discovery. Instead, as we increase productivity and get better at detecting flaws, we find ourselves in a situation where we create and find flaws faster than we can fix them.  

The outcome: Security debt accrues, and organizations must slow development, spend money to increase their capacity to fix flaws, or instead increase risk and exposure to ever more frequent, sophisticated, and severe cybersecurity threats. Let’s dive further into the problem and then look at potential solutions. 

Three Factors Contributing to the Problem 

CEOs, developers, and security are under pressure to deliver safe and secure software fast – it's what the current landscape demands. Automation has become one of the cornerstones for a business to become more impactful and innovative. However, automation and exponential advances in software development productivity threaten to make the security gap even wider. Let’s look at how already overburdened software security teams face even more pressures.  

Scale of the challenge  

Many security flaws are created at a rapid pace thanks to software being developed at a rapid pace (often due to automation), yet we fix them with manual remediation. This makes prioritization essential. Development and security teams need to work together to define a security policy and shared definition of done. Teams need to discuss: what must and can be fixed given our risk tolerance and the capacity of our development teams? Unfortunately, that capacity is spread thinner and thinner as developers face more and more competing responsibilities.  

Developers have more responsibilities  

Developers are overworked – that’s not news. A recent Salesforce study states that the highest contributing cause of developer burnout is “increasing workload/demand from other teams.” Some of their responsibilities include building applications (fast) and modifying existing software from different portfolios. At the same time, software needs to go-to-market on time and code needs to be deployed quickly and securely. Since many developers aren’t trained in security (more on this later), this creates a perfect storm for flaws to compound. Coupled with developers working manually, the wall of security debt gets higher and higher demanding more of the developers’ time. 

Software security skills gap  

Developers aren’t getting sufficient and interesting security training, and research shows that users of hands-on developer security training who had completed at least one lesson took 110 days to remediate 50% of flaws – while those who had no such training took 170 days. That’s a difference of two months, but many security teams are too overwhelmed with their own set of responsibilities to think about training developers. Thrown in the mix is the massive 3.42 million security professionals skills gap, a topic covered by the National Cybersecurity Strategy from the Biden-Harris Administration. This further emphasizes the importance of automation to assist both developers and security to work efficiently and save resources. 

How You Can Manage Software Risk and Security Debt at Scale 

If we couldn’t even keep pace in the past, how do we expect to tackle this mounting remediation challenge in the future when companion coding and other advances mean the scale of the problem will be even greater? Well, how do we typically tackle these types of challenges? Historically, the answer has been automation.  

Think of the chores that you remove yourself from doing because they take time, and there are better, more efficient, ways to do them. For instance, your multiple monthly bills. Instead of going online and spending time logging in and out manually, you can resolve this by setting up automatic payments. Now, with extra time at your disposal, you can work on things that matter to you. 

Automation in software development is similar in the sense that it gives your development and security teams more time to work on impactful tasks. It means faster delivery and higher ROI over the lifetime of software products. However, if all the gains of automation are offset by the burden and costs of manual remediation and security efforts, then we are not extracting the full value and potential on offer.   

There is a clear and present need to bring flaw remediation within the fold of automation. The only way to close the security gap – the only way to deliver exponential improvements and achieve better outcomes with the same or fewer resources – is to leverage machine learning and intelligence to automate software remediation. 

An Example of How Automated Fixing Can Help at Scale 

Let’s look at the software security problem through the lens of a hypothetical Java web application. We’ll say it is three years old, has 10,000 lines of code, and 50 static analysis findings. We know it will take roughly 10 months to close half of those flaws, and eventually around 70 percent will be resolved leaving 30 percent as security debt.  

The thing is: as old flaws are being fixed, new features (and flaws) are being created. Some of those new flaws will be resolved, but development and security teams are sprinting to stand still and just maintain security posture. Except that’s not the full picture. Looking beyond a single application at the entire software portfolio, security debt is growing, not shrinking. In fact, research shows that in any given month, there is a 27 percent chance that new flaws will be introduced in an application. Consider this across all the applications in a portfolio, and you’ll see why it’s taking longer and longer to fix those flaws as work mounts. 

Why is this? We create software with automation. We fix it with manual remediation. 

Developers are becoming more and more productive. Companion coding alone is increasing developer productivity by 55 percent. The capacity to create software is increasing exponentially, but the capacity to secure software has only improved incrementally. Because of this, the security gap will grow wider as there will be more security flaws to fix and more time needed to fix them. As this happens, developers will be increasingly overwhelmed, security debt will accrue, risk will increase, and costs will accumulate.  

This is an untenable situation. Historically, there have been three methods to tackle this challenge: slow down development, hire and train people, and/or accept more risk. Slowing development has competitive and strategic consequences. Finding talent is tremendously difficult given the 3.4-million-person talent gap – let alone the cost of hiring, training, and retaining people. And as the frequency, sophistication, and severity of cyberattacks increase, carrying security debt is a greater problem.  

What Automated Fixing Could Look Like in Your AppSec Program 

So, what would an intelligent remediation solution look like? Here are the three criteria you should consider: 

Automatically fix flaws in first-party code 

Automation needs to go beyond tools that only update vulnerable open-source dependencies. The real need is to address flaws in first-party code that developers lack the time, training, and resources to manually fix. A true solution needs to be capable of generating secure code patches tailored to a specific application to alleviate the burden on developers to manually remediate flaws. That brings us to the second requirement.  

Deliver a security-specialist solution 

To generate secure code, a solution needs to deliver security-specialist generative AI. Machine learning models reflect the dataset and supervision used to train them. Generative AI models trained on insecure code (which is many considering 75 percent of applications scanned in the last 12 months have security flaws) produce insecure code. If you want to close the gap and bring automation to security and flaw remediation, you need a security-specialist solution to complement generalist companion coding tools. Just as you need different skillsets in your development teams, you also need different skills and specialties in the solutions you provide for your people. 

Operate in the developer’s work environment 

Code remediation suggestions must be integrated and actionable in developers’ workflows. The best solutions are the ones people use and adopt. After developing the capability to generate fixes and confidently building trust in suggested patches, the last hurdle is making it easy and transparent for developers to review and take action.  

A solution that delivers across these three areas – a security-specialist, large-language model capable of generating secure code suggestions developers can implement with a pull request in their existing workflow – can close the security gap and vastly contribute to the success of your AppSec program.  

The Future of Intelligent Software Security 

Of course, it’s easier to describe a solution than deliver one. You would need to have one of the world’s largest cybersecurity datasets, a leading team of expert security researchers, foundational technology, and deep integration into the software development toolkit. Perhaps it’s no coincidence Veracode has cultivated these ingredients for over a decade. The future of intelligent software security is closer than you might think.  

Curious? Join the guestlist for a special product announcement on April 18, 2023, and experience the future of intelligent software security for yourself. 

Related Posts

By Devin Maguire

Devin is a Sr. Product Marketing Manager helping customers confidently deliver secure software faster by placing developers and security practitioners at the fulcrum of Veracode’s product positioning and messaging.