OWASP BASC 2025

Academic projects, linters, and IDE helpers provided a foundation for simple automatic code refactoring, but lacked the depth to address complex code issues found by tools. Recently, the landscape of tools used to change code saw explosive growth. Several open source code mutation frameworks have emerged, allowing expressive and impactful code transformations. LLMs have also jumped into the picture, promising power and delivering “cool” – but also towing chaos. We’ll explore the capabilities of these tools, including synergistic strategies – all towards answering the question: “are we ready to automatically fix code issues?” Finally, we’ll look at the horizon and make the case that the era of self-healing software is approaching quickly, even if it looks a little different than what you might expect. I have been working in AppSec for 20 years as a consultant, researcher, and innovator — and just a few years ago, the thought that we could have machines fixing vulnerabilities sounded, to my ears, like pure fantasy. I plan to show the evolution of code refactoring capability on a pretty clear trajectory during that time period, and how many important problems can be automatically fixed, today — including things found by static analysis, and things your static analysis can’t find — all with open source tooling. I will spend just a few minutes on “how we got here”, and split time mostly on what can be done today, what gaps remain, and where the tooling is headed and how that coincides with some major limitations in our labor market now. To back up my point point, I will: - Demo a few brief product security use cases in OSS - Offer 3 case studies share, including 1 open source case study - Show statistics on higher code throughput due to generative AI I’ll also point out the important limitations of automation in this space today — but focus on how product security should be using these capabilities to scale their expertise in an era where generative AI will be putting more and more code through the “verification” pipeline we have today. Takeaways 1. Product security teams can automate much of the toil that comes out of their SAST. 2. AI, when used correctly, can answer AppSec questions effectively. 3. Some of the original dreams around self-healing software are achievable. All of us in the industry are in desperate need of high yield levers to exert positive influence on our software development lifecycle, and Automatic Code Remediation is one of those levers.