Recent advancements in artificial intelligence (AI) have sparked a resurgence of interest in the concept of fully automated vulnerability remediation. The industry is currently witnessing a boom in attempts to provide tailored remediation solutions that are designed specifically for individual code bases, taking into account unique environments and circumstances. These solutions are powered by generative AI, a cutting-edge technology that is already demonstrating signs of success. However, there is a crucial question that must be addressed: Are we truly ready to fully embrace this groundbreaking technology?
If you ask any developer who has utilized GitHub Copilot or one of its alternatives, you will be met with a plethora of examples showcasing how AI can generate context-aware code completion suggestions, ultimately saving a significant amount of time. However, you will also come across examples of suggestions that are either irrelevant, overly complex, or simply incorrect. This highlights the fact that while we are indeed experiencing a technological breakthrough that promises automated code generation superior to anything we have witnessed before, technology alone cannot solve all of the challenges associated with vulnerability remediation. The process and the people involved are equally important.
Every modification made to an application represents a delicate balance between introducing improvements and safeguarding existing functionality. When it comes to urgent changes, such as security fixes, the pressure intensifies due to tight deadlines and the necessity of getting everything right. Applying patches, although essential, can sometimes lead to unforeseen consequences, potentially resulting in system outages. IT managers responsible for patching can share numerous horror stories of seemingly innocuous patches that ended up disrupting users’ day-to-day work. On the other hand, failing to apply a patch, which ultimately allows vulnerabilities to be exploited, can lead to devastating consequences for an entire organization.
Achieving good software engineering involves maintaining the ability to implement changes swiftly while still safeguarding the application and its maintainers from detrimental modifications. However, numerous challenges exist in achieving this delicate balance, such as legacy software that is difficult to modify and ever-evolving system requirements. In reality, maintaining the ability to alter software is a complex task that cannot always be achieved seamlessly, and teams must accept the risks associated with some changes potentially requiring additional remediation. The primary challenge for engineers is to ensure that proposed changes produce the intended results, which is where generative AI can be of significant assistance. This principle applies to security fixes as well.
One major difficulty that arises in large enterprises is the fragmentation of responsibility. Central Application Security (AppSec) teams, responsible for reducing risk across the entire organization, cannot be expected to fully comprehend the potential consequences of implementing a specific fix within a particular application. Certain solutions, such as virtual patching and network controls, allow security teams to address issues independently of the development teams, which can streamline mitigation efforts, reduce the need for extensive engineering resources, or even eliminate the need for their involvement.
However, these solutions can also generate friction. Network controls, including firewalls and Web Application Firewalls (WAFs), have historically granted IT and security professionals a high degree of autonomy, leaving developers to simply adapt and adjust. These controls clearly prioritize control over productivity, which inevitably introduces added friction for developers. When it comes to application vulnerabilities, fixes typically entail modifying either the application’s code or its environment. While implementing changes to the code falls within the domain of the development team, altering the environment traditionally provides an avenue for security teams to intervene and could offer a more suitable path for applying AI-generated remediations.
In on-premises environments, security agents often handle workload and infrastructure management. In managed environments, such as public cloud providers or low-code/no-code platforms, security teams can fully comprehend and examine environment changes, enabling them to intervene more deeply in application behavior. For example, configuration changes can impact application behavior without altering the code, allowing for the implementation of security mitigations while minimizing potential consequences. An excellent example of this is enabling built-in encryption-at-rest for databases, preventing unauthorized data access or applying data masking for sensitive information processed within a low-code application.
It is crucial to recognize that environment changes can affect application performance. Encryption, for instance, can introduce additional overhead, while masking sensitive data may make debugging more challenging. However, more and more organizations are willing to embrace these risks in order to increase security mitigation while reducing engineering costs.
Ultimately, organizations must strike a balance between the risks posed by vulnerabilities and the risks associated with implementing mitigations. Although AI-generated remediations considerably decrease the cost of remediation, there will always be some level of risk involved in their implementation. Nevertheless, failing to remediate vulnerabilities due to fear of consequences simply shifts organizations from one end of the risk spectrum to the other, far from reaching a perfect balance. Automatically applying any auto-generated remediation represents the opposite extreme.
Instead of opting for either extreme, it is imperative to acknowledge the risks associated with vulnerabilities and mitigations and find a suitable equilibrium between the two. Mitigations may occasionally disrupt application functionality. However, choosing not to accept this risk inherently means embracing the risk of a security breach due to a lack of effective mitigation measures. It is essential that organizations carefully consider the benefits and potential drawbacks of AI-powered vulnerability remediation, ultimately striving to find the ideal balance between security and functionality.