Traditional methods of flaw remediation are not equipped with the technology to keep pace with the rapid evolution of code generation practices, leaving developers incapable of managing burdensome and overwhelming security debt. Code security is still a critical concern in software development. For instance, when GitHub Copilot generated 435 code snippets, almost 36% of them had security weaknesses, regardless of the programming language.

Software development teams face a constant dilemma: striking the right balance between speed and security. How is artificial intelligence (AI) impacting this dilemma? With the increasing use of AI in the development process, it's essential to understand the risks involved and how we can maintain a secure environment without compromising on speed. Let’s dive in.

As I travel around the world meeting with customers and prospects, we often discuss the tectonic shifts happening in the industry. At the heart of their strategic initiatives, organizations are striving to innovate rapidly and deliver customer value with uncompromising quality and security, while gaining a competitive edge in the market.

The US National Institute of Standards and Technology (NIST) has almost completely stopped analyzing new vulnerabilities (CVEs) listed in its National Vulnerability Database (NVD). Through the first six weeks of 2024, NIST analyzed over 3,500 CVEs with only 34 CVEs awaiting analysis.1 Since February 13th, however, nearly half (48%) of the 7,200 CVEs received this year by the NVD are still awaiting analysis.2 The number of CVEs analyzed has dropped nearly 80% to less than 750 CVEs analyzed.

In the last blog on fixing vulnerabilities with Veracode Fix, we looked at SQL Injection remediation in a Java application. Since then, we have released Fix support for Python (and PHP) and launched a new VS Code plugin that includes support for Fix. It seems appropriate, therefore, to look at resolving a problem in a Python app using Veracode Fix in the VS Code IDE. This time let’s examine a simple cross-site scripting (XSS) weakness.

Security debt is a major and growing problem in software development with significant implications for application security, according to Veracode's State of Software Security 2024 Report. Let’s delve a bit deeper into the scope and risk of security debt, and gain some insights for application security managers to effectively address this challenge. Security debt refers to software flaws that remain unfixed for a year or more.

The release of the February 2024 White House Technical Report, Back to the Building Blocks: A Path Towards Secure Measurable Software, brings about a timely shift in prioritizing software security. Software is ubiquitous, so it’s becoming increasingly crucial to address the expanding attack surface, navigate complex regulatory environments, and mitigate the risks posed by sophisticated software supply chain attacks.

Modern software development techniques are creating flaws faster than they can be fixed. While using third-party libraries, microservices, code generators, large language models (LLMs), etc., has remarkably increased productivity and flexibility in development, it has also increased the rate of generating insecure code. An automated and intelligent solution is needed to bridge the widening gap between the introduction and remediation of flaws.