Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CodeQL. Show all posts

GitHub Unveils AI-Driven Tool to Automatically Rectify Code Vulnerabilities

GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.

Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.

The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.

However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.

Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.

In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.

For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.

Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.

This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.

Microsoft made CodeQL Queries Public for SolarWinds Attack Detection

 


Microsoft has won acclaim from security researchers by making its CodeQL queries public so any association could utilize the open-source tools to analyze if they encountered any vulnerabilities from the SolarWinds hack or similar supply chain attacks. "There is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant," Microsoft says. "These should be considered as just a part in a mosaic of techniques to audit for compromise." 

CodeQL queries code as though it were information, which allows developers to compose a query that discovers all the variations of a vulnerability, and afterward share it with others. CodeQL is an open-source semantic code analysis engine that works in two stages. First, as a feature of the compilation of source code into binaries, CodeQL fabricates a database that catches the model of the compiling code.

"For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database," Microsoft notes. 

In a blog post that details how it utilized the CodeQL technique, Microsoft alluded to the SolarWinds assault as Solorigate. For this situation, the attacker got into the remote management software servers of numerous organizations and infused a backdoor into the SolarWinds Orion software update. The attacker modified the binaries in Orion and dispersed them via previously legitimate update channels. This let the assailant remotely perform vindictive activities, such as credential theft, privilege escalation, and lateral movement to steal sensitive information. 

Microsoft said the SolarWinds incident has reminded associations to reflect not just on their readiness to respond to sophisticated attacks, but also the strength of their own codebases. In the blog, Microsoft clarifies its utilization of CodeQL queries to examine its source code at scale and preclude the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.