Wednesday, July 10, 2024

The Solution to Application Security’s Biggest Challenge, Vulnerability Remediation, May Finally Arrive

The importance of vulnerability management is simple — find and fix issues before an adversary finds and exploits them. Unfortunately, the remediation rates reported by leading application security vendors average only around 50% or far less. And when vulnerabilities are fixed it takes weeks or months. The rest of the vulnerabilities? They’re often never fixed and this has been the reality for many years [1][2][3][4][5].

The underlying reason for vulnerabilities not getting fixed is basically resource constraints. When application vulnerabilities are found, typically they must be fixed by an internal software development group, not the InfoSec team. And since software development resources are always scarce, allocation between vulnerability remediation and building new features is purely a business decision. And the needs of the business largely favor revenue generating features over security issues.

At the same time, many companies have hundreds and often thousands of websites in total with an untold number of code repositories supporting them. And in my experience working in application security for ~20 years, such as WhiteHat Security and 1000+ customers, only ~20% of their websites are routinely scanned for vulnerabilities. And this essentially the same for the underlying code repositories as well.

And the reason for the lack of pervasive application scanning is understandable: if a company already can’t keep up with their current remediation challenges, they’re certainly not going to want to spend more money to identify potentially thousands more vulnerabilities that they also can’t fix any time soon.

A scalable vulnerability remediation solution is what holds back pervasive application scanning, and leaves thousands of companies at risk without viable options. Finding a way to remediate vulnerabilities faster, easier, and cheaper would be absolutely monumental and push the entire application security industry forward. That’s why I’ve been focusing and researching this problem for well over a decade.

I’ve worked with WAF technology, RASP technology, browser technology, leveraging third-party development shops, and anything else that might work. All these approaches have their pros and cons, and do work in certain scenarios, but ultimately they have so far been unsuccessful in broad market adoption. More product innovation is needed.

AI technology provides an exciting opportunity to solve vulnerability remediation. We’re already seeing how developers are able to leverage AI to automatically generate code. In the same way, what if it was possible for AI to import Static Application Security Testing (SAST) results and automatically fix the code with an AI Agent built on LLM technology. Ideally, all a developer would need to do is review the fixed code and accept it for QA testing in a single click. This allows a developer to fix an issue while it's fresh in their mind in less than a minute, much better than getting a ticket 3 months after the code was written.  

There are at least a few vendors working on this approach. Recently I was introduced to a start-up called Amplify, who is building a product based on this exact concept. Amplify provides developers with an AI-powered tool that automatically fixes vulnerabilities in a way that would be equivalent to having a Sr. Developer and Sr. Security Engineer sitting and solving the problem together. The potential of this technology is exciting and will only get better over time. I believed in the founder, the vision, and implementation enough to become an Angel investor. 

I personally want to be part of solving this problem after spending most of my career in the application security industry. Success would enable every company to finally be able to scan their entire code repositories for vulnerabilities, and when vulnerabilities are found, they can do something about it quick and easy. Remediation rates would be drastically improved, mean-time-to-fix goes way down, and application breaches become rare. This is the entire goal of the application security industry — and it could be right around the corner!


No comments: