Ox Security Launches AI Agent That Auto-Generates Code to Fix Vulnerabilities – Source: www.securityweek.com

Ox Security has introduced a new AI-powered extension that goes beyond identifying vulnerabilities — it automatically generates organization-specific code to fix them.

The platform integrates with customers’ existing security tools. This integration floats vulnerabilities in code that should be fixed by the developers. But developers are already overwhelmed by different requests from product managers, customers for performance fixes, and internal staff for new apps or routines. The addition of bug fixes simply complicates the issues with demands of different severity leaving the developers struggling to get a grip on priorities.

The Ox platform already sifts these different demands and recommends priorities for the developers with ‘generic’ solutions (for example, ‘You should avoid parameters from a user getting to your database directly’). Generic recommendations tell the developer what needs to be done, but not necessarily how it should be done – and certainly doesn’t do it for the developer. 

The new Ox AI agent (dubbed Agent Ox) now takes this concept one stage further and generates the code to fix the bugs. The developer reviews this code. If accepted, it is by one click of a button added into the code repository and included in production at the next CI/CD download.

AI has been able to help coding issues for several years. “But here’s the problem,” says Ox Security in an associated blog: “Most of those promised AI features? They’re generic. They generate boilerplate advice, cookie-cutter recommendations, and one-size-fits-nobody fixes.”

“We’ve been able to generate generic recommendations for years,” explains Neatsun Ziv, co-founder and CEO of Ox Security. “But the new system is not a generic recommendation. It uses the developer’s own writing style and the names of the parameters, and the context used in the ecosystem; and then we do the heavy lifting by writing real code to fix the problem.” 

It’s a three-stage process. First, vulnerabilities are identified through native scanning and third-party integrations across code, dependencies, containers, and runtime environments. Second, Ox determines if the vulnerabilities are reachable, exploitable, and impactful – eliminating noise and false positives, and providing prioritization. Third, the new Agent Ox analyzes the organization’s code architecture and runtime context to generate secure, tailored fixes.

This code is viewed by the developers. It can be accepted by a single click. “That one click will approve the changes and change the code. Typically, it is automatically sent to the repository – let’s say GitHub – where it is included in the codebase. From there CI/CD might push new code into production perhaps on a weekly basis,” continues Ziv.

That weekly turnaround could include 50 separate code fixes sent from 50 separate developers. In each case the journey is from unknown through automated discovery and prioritization to code generation, review and, via 50 individual ‘single clicks’, on into production.

The new code is generated by Agent Ox. This is effectively a cluster of agents looking at the discovered vulnerability from different viewpoints. One of them, for example, represents an ‘architect’ view.

“The architect type is a person that understands the complexity of the business logic and the database structure and what the data means,” explains Ziv.” So, this is now represented by an agent that says, ‘Okay, inside your code I can see that this piece of code is going to touch PII data, and this piece is going to touch the authentication mechanism, and this has access to these SaaS services.’ So, by inserting this business logic into the equation, and other viewpoints from the other agents, we can get a very coherent and balanced answer to why this is important and why this should be fixed first.” After prioritization, Ox AI writes the code to fix the problem.

“Security tools shouldn’t just point out flaws; they need to help developers fix vulnerabilities intelligently,” said Ziv. “Developers need solutions that engender trust and understand their specific codebase, as opposed to generic fixes that often create more problems than they solve.”

Agent Ox provides a specialized and contained form of vibe coding that doesn’t require a programmer to specify the required outcome or develop a major system (where vibe coding is still weak). Each fix is small and constrained, where vibe coding is strong. The specification comes from locating vulnerabilities (the Ox platform), analyzing them from multiple viewpoints to prioritize requirements and write the fixing code (Agent Ox), and review and commit by a single click (the developer).

The future of AI and coding may well involve original vibe coding (we’re not there yet, but maybe in a few years’ time) subsequently maintained by specialized agents that understand the changing environment.

Related: Vibe Coding: When Everyone’s a Developer, Who Secures the Code?

Related: Flaw in Vibe Coding Platform Base44 Exposed Private Enterprise Applications

Related: Should We Trust AI? Three Approaches to AI Fallibility

Related: Ox Security Bags $60M Series B to Tackle Appsec Alert Fatigue