When large corporations scan for vulnerabilities in their software they might find between 1,000 to 100,000 issues that need fixing, and it can take a full hour to review each one. On average about one in four vulnerabilities are exploitable and each one takes about five hours to fix. Application security teams can’t keep up with this never ending cycle, resulting in vulnerabilities typically being left unfixed for months, making companies more susceptible to attacks from bad actors.
“That is the issue we solve,” says Eitan Worcel, CEO and Co-founder of Mobb, a Boston, Massachusetts-based startup that offers automatic vulnerability remediation to help security teams reduce backlogs and more effectively protect assets.
Mobb, which won first prize at the Black Hat USA 2023 Startup Spotlight competition, doesn’t scan for bugs. There are plenty of existing products that do that. “Vendors that conduct code scans consider it successful if their reports find more problems than competitors, but finding more problems without facilitating the remediation doesn’t make organizations more secure,” says Worcel. “We created Mobb to fix problems with AI-powered automation that reduces each fix to minutes.”
Other vendors are also trying to automate remediation. GitHub, recently announced an autofix capability designed to help developers achieve faster fix times, leading to what it promises will be increased productivity, less technical security debt, and more secure code. With this new feature, developers receive AI-generated fixes for CodeQL JavaScript and TypeScript alerts directly into their pull requests. “These are not just any fixes, but precise, actionable suggestions that will allow you to quickly understand what the vulnerability is and how to remediate it,” promises Github. Israeli startup Vicarious also offers both scanning and autonomous vulnerability remediation.
Worcel says Mobb’s differentiator is that it only focuses on fixing problems, rather than finding them and can partner effectively with companies that already provide the scans, such as Checkmarx, an application security testing company.
Earlier this month, Checkmarx announced a partnership with Mobb. The collaboration benefits developers, application security (AppSec) managers, and Chief Information Security Officers (CISOs) alike as “we work to power the transition to DevSecOps,” a collaboration framework that expands the impact of DevOps by adding security practices to the software development and delivery process, says Worcel.
Alignment and trust between CISOs, AppSec professionals and developers is paramount in order to identify and address highly critical vulnerabilities that could impact an enterprise, he says. “Being able to prioritize for the greatest business impact, integrate directly into developers’ workflows, and equipping your teams with the tools needed to secure applications from the first line of code are no longer ‘nice to haves’ they are ‘need to haves,’ says Worcel. “For enterprises, this can be even more challenging due to volume and scale; large development teams, billions of lines of code, hundreds of applications to release, and competing priorities. “
Checkmarx and Mobb say their partnership bridges the gap between developers and security in two key ways:
- Checkmarx’s Static application security testing (SAST), or static analysis, a testing methodology that analyzes source code to find security vulnerabilities that make an organization’s applications susceptible to attack, prioritizes findings to minimize the noise that enters the developer workflow. Developers trust that the alerts represent genuinely exploitable problems so they know what to fix first.
- Mobb’s AI engine provides auto-remediation of the vulnerabilities identified by Checkmarx in just a few clicks, eliminating the need for developers to review scan reports and search for fixes and fix locations. This means they can focus on innovation, says Worcel.
It works like this: a workflow can start when the developer commits their code changes to GitHub. A SAST scan is initiated as part of the workflow. Once the scan is complete, Mobb analyzes the findings and identifies all instances of supported issues. It extracts all the information it needs to fix each finding automatically and then analyzes the vulnerabilities and the developer’s source code for essential contextual information on how the error was created. Mobb then matches its pre-prepared fix algorithms to each context and the algorithm builds the correct fix. The vulnerability and proposed fix is flagged to the developer, showing the fix side-by-side with the vulnerable code. When the developer approves the fix, it is made automatically. Once the fixed code branch is merged with the main code, the scan can be re-run to verify that the fix is implemented.
Mobb, which was launched in 2023, says its clients don’t want to be named but already include companies with tens of thousands of developers.
The Boston startup’s goal is to eventually add autonomous vulnerability remediation not just for software but for other tech, such as infrastructure structure, Worcel says.
To access more of The Innovator’s Startup Of The Week articles click here.