AI Remediation: Introducing intelligent remediation guidance

Developers no longer need to spend time searching for fixes — our How to Fix tab now delivers customized, AI-generated remediations tailored to each vulnerability.

(Note: This feature is currently available only in the U.S.)

For years, Contrast’s customers have used our high-quality vulnerability remediation guidance on the How to Fix tab. The legacy guidance discusses how to resolve each of the many vulnerabilities that we recognize with details and code examples suited for the application’s language. But now, we’ve taken this great feature and made it even better!

Using the power of generative AI, we can now look at the full context, such as vulnerability event details and application libraries, to generate customized remediations for that particular vulnerability. Now users will be able to not only have the vulnerability identified, but a custom solution for that particular issue, without the developer needing to write it themself or evaluate multiple options. This increases efficiency and accelerates time to resolve for developers.

Let’s dig into how Contrast is using generative AI technology to provide custom remediations. When delivering the remediation details, the intelligent remediation guidance calls a sandboxed Anthropic LLM from Amazon Web Service’s (AWS’) Bedrock service. 

(Note: Customer security and data privacy are paramount for Contrast. Because of the sandboxed Large Language Model (LLM), no customer data is used to train the Anthropic model. For more details, a copy of the Anthropic on Bedrock Terms of Service can be found at https://www.contrastsecurity.com/hubfs/Anthropic-on-Bedrock_Commercial_Terms.pdf.) 

To begin using intelligent remediation guidance, customers must first enable it. After an organization enables the intelligent remediation guidance in the Organization Settings, it is easy to start using it. First, navigate to the vulnerability’s How to Fix tab. Then, click the new Use Contrast AI button to request the intelligent remediation guidance for that vulnerability.

Figure 1. Use Contrast AI button

While the intelligent remediation guidance details are different for each vulnerability, they always follow the same basic format. Let’s examine that structure in order to better understand the value of this new feature.

1. Remediation options — After a friendly reminder about setting up Security Controls in Contrast, the guidance discusses 2-7 different remediation options for the vulnerability. Each option has a short discussion of the fix’s concept, then it features a code example based on what we know of the code from the vulnerability’s event details and overview story, and last it explains why the code example fixes the problem.
2. Library analysis — Next, the guidance provides an analysis of which of the application’s current libraries could be used to fix the vulnerability, any new libraries that may need imported, and which (if any) of the application’s relevant libraries need to be upgraded due to high or critical CVE findings.
3. Best practices — Then, the guidance lists several development best practices for this vulnerability.
4. Relevant methods and classes — This section highlights, for the sake of clarity, the important code features for fixing this vulnerability.
5. Conclusion — The guidance ends with a summary of the recommended remediation strategy for fixing this problem in the application’s code.

Figure 2: Example of intelligent remediation guidance

Contrast is focused on helping our customers detect and respond to application-layer threats. We understand the necessity and struggle of fixing vulnerable code. Intelligent remediation guidance delivers specific, actionable steps that our customers can take to quickly resolve their particular application vulnerabilities and stop the cycle of endless security alerts.

Read more:

• Contrast blog: Anatomy of an attack
• Contrast blog:How the SOC can navigate the treacherous waters of application threats with ADR
• Contrast blog:Unpacking the SEC cybersecurity reporting rules: Enhance compliance efforts and reduce risk with ADR
• Contrast blog:DORA mandates have landed: Ready for a 4-hour incident reporting window?
• Contrast blog:Silent but deadly: December sees deserialization attacks surge despite overall lull in app attacks