OWASP 20th Anniversary Event

Abstract:
Developing secure software is not a trivial undertaking. Modern applications are commonly encumbered with security vulnerabilities that can present a serious risk to services, systems, organizations, and end users.

While vulnerability detection is commonly an automated process, vulnerability remediation is not. Relegating such effort to developers who might not possess the knowledge required to handle vulnerabilities is a demanding and ineffective process. However, the idea of automatic code remediation may not be easy for developers to accept, let alone endorse, due to a trust barrier. Developers will likely be concerned about any process that autonomously pushes changes that might break their code. To gain the requisite trust by developers, automatic remediation must ensure that code changes preserve application functionality and structure as much as possible. More importantly, automatically generated code should look like it was written by the code owner and must never break the application.

Automatic remediation of security vulnerabilities offers an immense value proposition for organizations. It does this by potentially expediting product release schedules, by freeing development bandwidth so that it may be dedicated for feature implementation (rather than software maintenance), and by ultimately delivering better software security. What’s more, customer studies and reviews reveal that an automated approach to vulnerability remediation can save time and eliminate friction with security teams.

This session presents how automatic vulnerability remediation realizes an incredible value proposition by enabling faster product release schedules, extended development bandwidth, and better software security.