Introducing Smart Fixes: Use your team’s secure coding patterns to fix new issues

We believe that security needs to follow the engineering best practice of automating away toil or unnecessary manual tasks. This helps improve code quality, removes human error, and increases productivity.

One of the biggest drains on productivity is breaking out of a flow to manually research how to fix a problem. For many developers, security is not their primary area of expertise and can be at odds with what they’re measured by—lines of code written or features developed. That’s why we provide hundreds (and growing) of fix suggestions right in our IDE plugins, as pull request comments, and in our platform, so you can find the solution to a policy violation without leaving the tools you’re using.

Because many policies require a custom solution or have multiple solution options available to users, however, not all policies have fixes. If you’re regularly looking up that same solution when your infrastructure as code (IaC) fails a policy check, you’re wasting time.

That’s exactly why we built Smart Fixes.

Smart Fixes are fix suggestions for IaC policy violations sourced from you and your team’s secure coding patterns!

Automated fix suggestions from past actions

Smart Fixes provides suggestions for Bridgecrew policy violations based on how your team has passed the same policy. The best part? You don’t need to change any of your patterns.

If you have an onboarded version control system (VCS), Bridgecrew will automatically track code that passes policy checks, regardless of if it was code that passed the check from the beginning or a fix that remediated a policy violation. If the same code passes the policy frequently (more than 3 times) and consistently (more than 20%), Bridgecrew will suggest that change for future violations of that policy. To avoid inaccurate and distracting suggestions, our Smart Fixes algorithm will only suggest values that we are confident will be used again and we show exactly how many times specific fixes have been made in the past so you can make informed decisions about which fix to apply.

Smart fix for database retention

No longer will you need to remember your retention period requirements or need to teach new hires what the IP addresses of your bastion hosts are. Those code changes will be suggested to you automatically.

Once you apply that Smart Fix, Bridgecrew will open a pull request back to your VCS with the additional code. Any additional reviews can be performed before committing code and ultimately deploying the changes to secure your infrastructure.

Smart Fix pull request in GitHub

Examples of Smart Fixes in action

Let’s walk through a few examples of misconfigurations that can’t be fixed with a single fix.

TLS 1.0 and 1.1 are no longer considered secure. Therefore, it’s a good idea to ensure your load balancers are using TLS 1.2 (or TLS 1.3 soon). However, there is more than TLS 1.2 policy (combination of protocols and ciphers) available for load balancers to use such as `ELBSecurityPolicy-TLS-1-2-2017-01` or `ELBSecurityPolicy-TLS-1-2-Ext-2018-06`.

If you’re new to your organization or just not familiar with that compliance standard, you may not know which suite to use. Does your firm require forward secrecy? Which policy includes Diffie-Hellman handshakes? With Smart Fixes, (assuming that the same TLS 1.2 policy has been used frequently), the correct policy will be a suggestion when you forget to include one.

Another frequent example is how long to retain CloudWatch logs. Typically customers have a set number of days for retention by application. Sensitive production applications may require retention for five years (1827 days) and testing environments may only require 90 days of retention. With Smart Fixes, Bridgecrew will keep track of past retention days used and suggest the most common for you to select between so you don’t have to ask around to get the right number. Imagine the time saved!

Smart Fix for CloudWatch retention

Smart Fix availability

We’re super excited to bring this feature to you to automate some of the toil of fixing security violations in your IaC. And the benefit of this approach is that we’re not surfacing fix suggestions from questionable sources, but from your most trusted source—you and your team! That minimizes the noise and fine-tunes the signal for fix suggestions.

Smart Fixes will initially only be available on our Projects page but will soon be available in our other integrations, such as PR comments. Additionally, we’ll be adding Smart Fixes sourced from multiple repos and complex remediation Smart Fixes (remediations that require multiple resource changes) in the coming weeks. Smart Fixes are just one more way we’re removing friction for DevSecOps and increasing the likelihood of remediating misconfigurations in cloud infrastructure.

Try Smart Fixes out for yourself with the free 14-day trial of Bridgecrew!