‘AI-Powered Remediation’: GitHub Now Offers ‘Copilot Autofix’ Suggestions for Code Vulnerabilities

InfoWorld reports that Microsoft-owned GitHub “has unveiled Copilot Autofix, an AI-powered software vulnerability remediation service.”
The feature became available Wednesday as part of the GitHub Advanced Security (or GHAS) service:

“Copilot Autofix analyzes vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found,” GitHub said in the announcement. GHAS customers on GitHub Enterprise Cloud already have Copilot Autofix included in their subscription. GitHub has enabled Copilot Autofix by default for these customers in their GHAS code scanning settings.

Beginning in September, Copilot Autofix will be offered for free in pull requests to open source projects.

During the public beta, which began in March, GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually, demonstrating how AI agents such as Copilot Autofix can radically simplify and accelerate software development.

“Since implementing Copilot Autofix, we’ve observed a 60% reduction in the time spent on security-related code reviews,” says one principal engineer quoted in GitHub’s announcement, “and a 25% increase in overall development productivity.”

The announcement also notes that Copilot Autofix “leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs.”
Code scanning tools detect vulnerabilities, but they don’t address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn’t the problem. Fixing them is…

Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities… Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request…. For developers who aren’t necessarily security experts, Copilot Autofix is like having the expertise of your security team at your fingertips while you review code…

As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. We firmly believe that it’s highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub’s code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, we’re thrilled to add Copilot Autofix in pull requests to this list and offer it for free to all open source projects…

While responsibility for software security continues to rest on the shoulders of developers, we believe that AI agents can help relieve much of the burden…. With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed.

Read more of this story at Slashdot.

National Public Data Confirms Breach Exposing Social Security Numbers

BleepingComputer’s Ionut Ilascu reports: Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses.

In the statement disclosing the security incident, National Public Data says that “the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).” The company acknowledges the “leaks of certain data in April 2024 and summer 2024” and believes the breach is associated with a threat actor “that was trying to hack into data in late December 2023.” NPD says they investigated the incident, cooperated with law enforcement, and reviewed the potentially affected records. If significant developments occur, the company “will try to notify” the impacted individuals.

Read more of this story at Slashdot.

US Fines T-Mobile $60 Million, Its Largest Penalty Ever, Over Unauthorized Data Access

The U.S. Committee on Foreign Investment (CFIUS) fined T-Mobile $60 million, its largest penalty ever, for failing to prevent and report unauthorized access to sensitive data tied to violations of a mitigation agreement from its 2020 merger with Sprint. “The size of the fine, and CFIUS’s unprecedented decision to make it public, show the committee is taking a more muscular approach to enforcement as it seeks to deter future violations,” reports Reuters. From the report: T-Mobile said in a statement that it experienced technical issues during its post-merger integration with Sprint that affected “information shared from a small number of law enforcement information requests.” It stressed that the data never left the law enforcement community, was reported “in a timely manner” and was “quickly addressed.” The failure of T-Mobile to report the incidents promptly delayed CFIUS’ efforts to investigate and mitigate any potential harm to U.S. national security, they added, without providing further details. “The $60 million penalty announcement highlights the committee’s commitment to ramping up CFIUS enforcement by holding companies accountable when they fail to comply with their obligations,” one of the U.S. officials said, adding that transparency around enforcement actions incentivizes other companies to comply with their obligations.

Read more of this story at Slashdot.

Dubai Court Recognizes Crypto As a Valid Salary Payment

The Dubai Court of First Instance has declared that cryptocurrency can be used as a legal form of salary under employment contracts. CoinTelegraph reports: Irina Heaver, a partner at UAE law firm NeosLegal, explained that the ruling in case number 1739 of 2024 shows a shift from the court’s earlier stance in 2023, where a similar claim was denied because the crypto involved lacked precise valuation. Heaver believes this shows a “progressive approach” to integrating digital currencies into the country’s legal and economic framework. Heaver said that the case involved an employee who filed a lawsuit claiming that the employer had not paid their wages, wrongful termination compensation and other benefits. The worker’s employment contract stipulated a monthly salary in fiat and 5,250 in EcoWatt tokens. The dispute stems from the employer’s inability to pay the tokens portion of the employee’s salary in six months.

In 2023, the court acknowledged the inclusion of the EcoWatts tokens in the contract. Still, it did not enforce the payment in crypto, as the employee failed to provide a clear method for valuing the currency in fiat terms. “This decision reflected a traditional viewpoint, emphasizing the need for concrete evidence when dealing with unconventional payment forms,” Heaver said. However, the lawyer said that in 2024, the court “took a step forward,” ruling in favor of the employee and ordering the payment of the crypto salary as per the employment contract without converting it into fiat. Heaver added that the court’s reliance on the UAE Civil Transactions Law and Federal Decree-Law No. 33 of 2021 in both judgments shows the consistent application of legal principles in wage determination.

Read more of this story at Slashdot.