One of the biggest challenges that application security engineers are facing is the large amount of false positives from security scanners. False positives are results that indicate a vulnerability where there is none, or where the risk is negligible. Triaging these false positives wastes a lot of time.
Limitations of current approaches
Reducing false positives and managing them efficiently is challenging task. A common approach is to create customized rulesets for each application, but this demands a lot of time and skill, which is a major bottleneck for most AppSec teams.
Over time, these rules can become hard to manage, understand and maintain. The complexity of the rules might then outweigh their benefits of reducing false positives. An overly complex ruleset will make you and your team less productive.
This is where our new AI Remediation feature comes into play. It makes suggestions for vulnerability fixes that developers themselves can quickly review and apply, without burden you to define complex rules. The AI assisted recommendations make easy for developers to fix vulnerabilities, before they hit the AppSec team in the first place, and facilitate the collaboration between AppSec and devs on triaging.
Fine-tuned for AppSec
We originally started exploring the use of modern machine learning techniques, like recent Large Language Models, in 2022. Earlier this year, during Black Hat 2023, we announced the beta of our first AI related feature.
AI Remediation has been fine-tuned with the unique insights into the many false positive alerts that the Kondukto Platform sees from dozens of the industry leading scanners (SAST, DAST, commercial and open-source). We have been working with select customers as we were developing this feature and received valuable feedback that we incorporated into this first release.
Using Kondukto AI Remediation
The suggestions for vulnerability fixes integrate seamlessly with your existing developer and application security workflows. You don’t need to adopt any new user interface paradigms.
Suggestions are being made in the form of git comments, right in your repository. They are often fixing the vulnerability right away and are usually a good starting point for your own nuanced solution to the issue.
You and your team remain in full control, there is no autopilot messing with your established best practices and policies.
Enabling our AI assisted remediation feature is easy and you can be up and running in just a few minutes.
Assuming that you have already successfully onboarded your projects from GitHub, just follow these easy steps:
- Enable the AI Remediation feature from your account’s integration page.
- Add the Kondukto App to your repository (from your repo’s marketplace, just search for “Kondukto”).
- The Kondukto App will create a workflow on your CI/CD (alternatively, you can do this step manually).
- You will then get a custom configuration file for the Kondukto App that interacts with the repositories. Add that configuration file to your CI/CD provider.
- That’s it, you are good to go.
Now, whenever a new vulnerability is discovered during a pull or merge request, you will see a description of the vulnerability and a suggestion on how to fix it by our AI assisted app. A summary table of the security posture is included in the comment and if you have an associated security policy configured, the Kondukto App can halt the CI/CD build accordingly.
You also have the ability to configure your own rules to determine under which circumstances you want the comments to be generated. This way the feature can be further fine-tuned, for example to only make recommendation when a "high" or "critical” vulnerability has been identified.
We believe the best way to triage vulnerabilities is by involving developers in this process without overwhelming them. Developers have the best understanding of their code. Providing them with the necessary information through a security vendor-agnostic approach.
AI Remediation is accomplishing exactly that, making it easy for them to fix security issues, reducing your average time-to-remediation and improving the quality and security of your code.
The public beta of AI Remediation is part of our Autumn Release and will be available to Kondukto customers, cloud and on-premises, by end of October. Customers can enable the feature from the integrations section within the Kondukto Platform.
Not a customer yet? Request your free demo.