Arnica logo

Feature Announcement: AI-based code risk mitigations

Arnica has introduced a new security feature – AI-generated code risk mitigation recommendations – to help developers tackle code risks easily, even for less experienced developers. With AI-generated code risk mitigations, Arnica identifies code risks like Static Application Security Testing (SAST) or Infrastructure-as-code (IaC) findings and provides actionable code snippet recommendations that can be used to fix the risk before being delivered to a production environment.  

What user pains exist?  

In the rapidly evolving landscape of secure software development, some major pain points exist for developers when it comes to maintaining effective application security.

Ensuring secure coding practices

Many software engineers are equipped with the knowledge to write secure code, but not all. Arnica identifies code risks, such as SAST and IaC, and provides a recommendation to mitigate the risk. However, less experienced developers may need more information, such as code examples relevant to the context of the vulnerable code, as well as a walkthrough of the recommended code changes.  

Maintaining velocity

Whether a developer is just getting started in their secure coding journey or a seasoned security champion, security issues can require a major time investment to fix. Existing tools often identify risks such as SAST (Static Application Security Testing) and IaC (Infrastructure as Code) vulnerabilities but fall short in guiding developers on how to effectively address these issues. This lack of clear, context-relevant guidance and educational resources can hinder productivity and result in a steep learning curve for less experienced developers.

Additionally, when code risks are presented at the pull request for the first time it is typically too late to handle the tech debt associated with making the fix. The main reason is that a pull request represents code that the developer is ready to merge (unless using a concept of draft PRs, which is rare).

Blaming and shaming

Traditional security scanning approaches, especially scanners that are deployed in pipelines, often result in the blaming or shaming of developers for pushing a security issue into pipelines – especially when the result is a broken build. This dynamic between security and development can cause resentment and stems from the fact that traditional pipeline scanners don’t help developers fix problems before they are introduced.

What Arnica built

To alleviate these major pain points, Arnica has armed developers with a security co-pilot in the form of AI-generated code risk recommendations.  

How it works:

  1. When a developer pushes vulnerable code, Arnica identifies the new code risks and notifies the developer privately, in a blameless and shameless manner, via ChatOps (Slack or Microsoft Teams).
  1. At this point, the developer can click on a magic link that shows more context about the vulnerability from within Arnica, without needing an Arnica login. Upon clicking the OpenAI icon in Arnica, a code example and explanation will be provided in real-time to the developer.

Why it matters

The impact of this feature for both security and developers is immense.  

Developers are provided real time guidance on how to fix a code risk. They don’t need to wait until a build breaks or a security ticket is created, causing them to context switch back to what they were working on last week or last month. Developers are given a resolution path to a security issue before it can become a production risk.  

Security can rest assured that by providing developers with risk mitigation paths while the risk is detected, more code risks will be fixed earlier. That means fewer tickets in the backlog and fewer frustrated developers having to go back and redo their work.  

With early detection and code risk mitigation made easy with AI-generated code recommendations, developers can develop freely without concern that their code will break the next build.

About Arnica

Enterprises today are faced with the need to harden their DevOps ecosystem to combat the proliferation of Software Supply Chain Attacks. These organizations are faced with the growing challenge of balancing development velocity, cost efficiency, and security.

Managing excessive developer permissions and identifying corresponding anomalous behavior are two obstacles in the way of establishing this equilibrium. Arnica was established to solve these obstacles by providing a seamless and frictionless active mitigation platform for exactly these issues and more. Arnica is the easy button for DevOps security.

Arnica analyzes excessive permissions, code risks and misconfigurations across the developer toolset and mitigates them.

Contact Arnica Press Team