Automatic Vulnerability Remediation: The Trusted and Secure Road to Developer Happiness

The presentation discusses the importance of better software security through auto remediation and the challenges associated with it. It emphasizes the need for trustworthiness, accuracy, and insightfulness in auto remediation.

• Auto remediation is about facilitating the process of remediation and reducing the number of unattended issues.
• Standardized fixed approach helps with triaging and prioritization.
• Auto remediation can combat the security knowledge gap and better allocate resources.
• Trust is important in auto remediation and it must be designed to accommodate the developer's concerns.
• Auto remediation should be proactive, accurate, and reduce noise and ambiguity.
• Insightfulness is important in auto remediation to provide suggestions that garner more trust from the end user.
• Auto remediation must drive results and be developer-centric.
• The challenges associated with auto remediation include the proper placement and annotation of sanitization and the potential for inadvertent changes to the logic of the application.
• Traditional remediation approaches can be confounding and irrelevant to developers.
• Auto remediation should embrace a developer's standpoint and provide confirmation that the solution will work.

The presentation provides examples of concerns injection and path traversal vulnerabilities and highlights the importance of proper sanitization. It also discusses the challenges associated with providing guidance on sanitization and the potential for inadvertent changes to the logic of the application. The presentation emphasizes the need for auto remediation to be developer-centric and provide confirmation that the solution will work.

Abstract:Developing secure software is not a trivial undertaking. Modern applications are commonly encumbered with security vulnerabilities that can present a serious risk to services, systems, organizations, and end users.While vulnerability detection is commonly an automated process, vulnerability remediation is not. Relegating such effort to developers who might not possess the knowledge required to handle vulnerabilities is a demanding and ineffective process. However, the idea of automatic code remediation may not be easy for developers to accept, let alone endorse, due to a trust barrier. Developers will likely be concerned about any process that autonomously pushes changes that might break their code. To gain the requisite trust by developers, automatic remediation must ensure that code changes preserve application functionality and structure as much as possible. More importantly, automatically generated code should look like it was written by the code owner and must never break the application.Automatic remediation of security vulnerabilities offers an immense value proposition for organizations. It does this by potentially expediting product release schedules, by freeing development bandwidth so that it may be dedicated for feature implementation (rather than software maintenance), and by ultimately delivering better software security. What’s more, customer studies and reviews reveal that an automated approach to vulnerability remediation can save time and eliminate friction with security teams.This session presents how automatic vulnerability remediation realizes an incredible value proposition by enabling faster product release schedules, extended development bandwidth, and better software security.