Transforming Vulnerability Management: Bridging Gaps with Generative AI in Cybersecurity
This week was extremely exciting for the early adopters of AI pair programming technologies such as GitHub Copilot. GitHub made tons of announcements during its own conference called GitHub Universe, such as the use of GPT-4 for Copilot Chat, Copilot Enterprise, their vision for Copilot Workspace and more.
GitHub has also revealed new and important AI-powered security features such as Code Scanning Autofix, AI-powered secret scanning and a regular expression generator for custom patterns to find leaked secrets. With these new offerings, GitHub is clearly committed to advancing the Security industry with the help of Generative AI.
From the announcements made this week, I believe Code Scanning Autofix, in particular, will have tremendous impact on how we manage vulnerabilities and turn security into a first-class citizen in the Software Development Lifecycle (SDLC). So in this article, I want to shed some light on some of the challenges Vulnerability Management Programs face and how AI pair programming technologies can help with those challenges.
Scalability Issues of Traditional Vulnerability Management
The traditional approach to vulnerability management has become tremendously slow in today’s world, as we increase the pace of changes introduced to applications and systems. As a result, many organizations drown in this deep ocean of vulnerabilities and suffer the consequences caused by an ever increasing number of cyber attacks.
Let’s take a look at a traditional vulnerability management cycle:
As you can imagine, the amount of manual steps (triaging, prioritization and ticket creation) and back and forth in communication with dev teams tend to be the culprits of a slow vulnerability remediation cycle, because by the time the ticket lands on the dev team’s board and they start working on it, they’ve probably already delivered many other features (that have potentially already introduced many other vulnerabilities). And so you basically are always behind, playing catch-up.
What we need is a much faster cycle, where developers get instant feedback about a vulnerability that their code is about to introduce before it makes its way to production.
GenAI to the rescue
One of GitHub’s announcements was the introduction of Code Scanning Autofix. GitHub is certainly no stranger to Code Scanning as they already provide a powerful solution through CodeQL. However, with this new offering, they’re certainly taking it to the next level. Here’s what it looks like (taken from the keynote’s example):
After opening a PR with some code changes, the GitHub Advanced Security bot gives a warning that a potential vulnerability related to Reflected XSS could be introduced due to a user-provided value (${req.query.name}). This is a great first step (knowing the problem), and certainly helps reduce the cycle I’ve mentioned earlier as the vulnerability is shown to the developer before the code is even merged. But it gets better:
You’ll also get a proposed remediation for the vulnerability right on your PR! Note that GitHub Advanced Security does not use a random example to explain what you should do. It actually modifies your code and even suggests changes that should be made outside the file that contains the vulnerability. From there, you can then choose to accept and commit the changes, or dismiss the suggestion.
Obviously, we still need to exercise care when it comes to AI-powered solutions and we should always thoroughly test our code, especially if we accept AI-proposed changes. But to think how long it would normally take to get to the remediation phase following traditional vulnerability management processes and the speed now at which a remediation is ready to be merged, it is truly mind-blowing! 🤯
That 8-step vulnerability management cycle I showed you earlier could likely be reduced to this:
My takes on the future of VM with GenAI
Needless to say this is a huge step towards building a more effective Vulnerability Management (VM) program. However, we’re just in the beginning of this new era. For example, GitHub Advanced Security’s Code Scanning Autofix only works for Javascript and Typescript at the moment (as far as I am aware) and we still need support for many other programming languages. Moreover, there are many other types of vulnerabilities that we need to consider as part of such a program:
- Operating System
- Network
- Software Supply Chain
- Firmware
- Infrastructure-as-Code
And the list goes on. Another important thing to note is that this requires a cultural change in the organization and you will still need traditional vulnerability management processes for those vulnerabilities that are either ignored at the PR phase or that GitHub Advanced Security does not provide support for. So no, I do not think Security Engineers will be replaced anytime soon, but I do think the role will drastically change over the coming years - the same way the role of a System Administrator has evolved when Cloud started becoming mainstream more than a decade ago!
The world has already seen the impact of Generative AI with the introduction of ChatGPT back in 2022 and I believe expanding it to the Cyber Security space will certainly help democratize secure coding and strengthen the DevSecOps movement.
Of course, it’ll take time, but as the Chinese proverb goes: “A journey of a thousand miles begins with a single step”.
What did you think of GitHub’s announcements and do you think this is a game changer? Or perhaps this is just yet another hype? Feel free to leave comments below or in my LinkedIn post, I would love to get your perspective on this topic.
Thanks for your time reading this article!
Fun fact: parts of this article was generated by AI! Can you guess which ones? 😉
