Microsoft and GitHub Preview New Tool That Identifies, Prioritizes, and Fixes Vulnerabilities With AI (thenewstack.io) 18
"Security, development, and AI now move as one," says Microsoft's director of cloud/AI security
product marketing.
Microsoft and GitHub "have launched a native integration between Microsoft Defender for Cloud and GitHub Advanced Security that aims to address what one executive calls decades of accumulated security debt in enterprise codebases..." according to The New Stack: The integration, announced this week in San Francisco at the Microsoft Ignite 2025 conference and now available in public preview, connects runtime intelligence from production environments directly into developer workflows. The goal is to help organizations prioritize which vulnerabilities actually matter and use AI to fix them faster. "Throughout my career, I've seen vulnerability trends going up into the right. It didn't matter how good of a detection engine and how accurate our detection engine was, people just couldn't fix things fast enough," said Marcelo Oliveira, VP of product management at GitHub, who has spent nearly a decade in application security. "That basically resulted in decades of accumulation of security debt into enterprise code bases." According to industry data, critical and high-severity vulnerabilities constitute 17.4% of security backlogs, with a mean time to remediation of 116 days, said Andrew Flick, senior director of developer services, languages and tools at Microsoft, in a blog post. Meanwhile, applications face attacks as frequently as once every three minutes, Oliveira said.
The integration represents the first native link between runtime intelligence and developer workflows, said Elif Algedik, director of product marketing for cloud and AI security at Microsoft, in a blog post... The problem, according to Flick, comes down to three challenges: security teams drowning in alert fatigue while AI rapidly introduces new threat vectors that they have little time to understand; developers lacking clear prioritization while remediation takes too long; and both teams relying on separate, nonintegrated tools that make collaboration slow and frustrating... The new integration works bidirectionally. When Defender for Cloud detects a vulnerability in a running workload, that runtime context flows into GitHub, showing developers whether the vulnerability is internet-facing, handling sensitive data or actually exposed in production. This is powered by what GitHub calls the Virtual Registry, which creates code-to-runtime mapping, Flick said...
In the past, this alert would age in a dashboard while developers worked on unrelated fixes because they didn't know this was the critical one, he said. Now, a security campaign can be created in GitHub, filtering for runtime risk like internet exposure or sensitive data, notifying the developer to prioritize this issue.
GitHub Copilot "now automatically checks dependencies, scans for first-party code vulnerabilities and catches hardcoded secrets before code reaches developers," the article points out — but GitHub's VP of product management says this takes things even further.
"We're not only helping you fix existing vulnerabilities, we're also reducing the number of vulnerabilities that come into the system when the level of throughput of new code being created is increasing dramatically with all these agentic coding agent platforms."
Microsoft and GitHub "have launched a native integration between Microsoft Defender for Cloud and GitHub Advanced Security that aims to address what one executive calls decades of accumulated security debt in enterprise codebases..." according to The New Stack: The integration, announced this week in San Francisco at the Microsoft Ignite 2025 conference and now available in public preview, connects runtime intelligence from production environments directly into developer workflows. The goal is to help organizations prioritize which vulnerabilities actually matter and use AI to fix them faster. "Throughout my career, I've seen vulnerability trends going up into the right. It didn't matter how good of a detection engine and how accurate our detection engine was, people just couldn't fix things fast enough," said Marcelo Oliveira, VP of product management at GitHub, who has spent nearly a decade in application security. "That basically resulted in decades of accumulation of security debt into enterprise code bases." According to industry data, critical and high-severity vulnerabilities constitute 17.4% of security backlogs, with a mean time to remediation of 116 days, said Andrew Flick, senior director of developer services, languages and tools at Microsoft, in a blog post. Meanwhile, applications face attacks as frequently as once every three minutes, Oliveira said.
The integration represents the first native link between runtime intelligence and developer workflows, said Elif Algedik, director of product marketing for cloud and AI security at Microsoft, in a blog post... The problem, according to Flick, comes down to three challenges: security teams drowning in alert fatigue while AI rapidly introduces new threat vectors that they have little time to understand; developers lacking clear prioritization while remediation takes too long; and both teams relying on separate, nonintegrated tools that make collaboration slow and frustrating... The new integration works bidirectionally. When Defender for Cloud detects a vulnerability in a running workload, that runtime context flows into GitHub, showing developers whether the vulnerability is internet-facing, handling sensitive data or actually exposed in production. This is powered by what GitHub calls the Virtual Registry, which creates code-to-runtime mapping, Flick said...
In the past, this alert would age in a dashboard while developers worked on unrelated fixes because they didn't know this was the critical one, he said. Now, a security campaign can be created in GitHub, filtering for runtime risk like internet exposure or sensitive data, notifying the developer to prioritize this issue.
GitHub Copilot "now automatically checks dependencies, scans for first-party code vulnerabilities and catches hardcoded secrets before code reaches developers," the article points out — but GitHub's VP of product management says this takes things even further.
"We're not only helping you fix existing vulnerabilities, we're also reducing the number of vulnerabilities that come into the system when the level of throughput of new code being created is increasing dramatically with all these agentic coding agent platforms."
This would be good, if... (Score:5, Insightful)
...it accurately identified and explained the problem so that experts could fix it, possibly with AI assistance, but always with expert review.
It would be really, really bad if clueless people believed that all they had to do is run it and it would magically fix everything.
Re: (Score:1)
Cyberdecks soon to be here... (Score:3, Interesting)
Re: (Score:1)
Is this the same Microsoft? (Score:5, Insightful)
"Microsoft Warns Its Windows AI Feature Brings Data Theft and Malware Risks, and 'Occasionally May Hallucinate'" https://tech.slashdot.org/stor... [slashdot.org]
Re: (Score:2)
Microsoft is not a person. It is a massive company capable of pursuing many mandates, some of which can either appear or can actually be entirely at odds with each other.
Re:Is this the same Microsoft? (Score:5, Insightful)
Re:Is this the same Microsoft? (Score:4, Funny)
It basically looks for Windows and deletes it.
Microsoft ... and AI ... fixes vulnerabilities (Score:4, Insightful)
Re: (Score:1)
brb, installing windows 11 on more machines just for this guy. also gonna purchase a couple more copies of halo 6: the woke edition where master chief is a peruvian ladyboy
also the idea that linux isnt "woke and globalist" by your definitions is fucking absurd.
So, the problem is slop and the solution is more? (Score:5, Insightful)
security teams drowning in alert fatigue while AI rapidly introduces new threat vectors that they have little time to understand;
First "problem", manufactured by "AI" - the "AI" generating meaningless slop and claims it is valid vulnerability analysis, something people have been complaining about a lot recently.
developers lacking clear prioritization while remediation takes too long;
Second "problem", people drowning in the said slop and
and both teams relying on separate, nonintegrated tools that make collaboration slow and frustrating...
Third problem, the "tools" that the marketing "guru" is peddling, which only last year were the best on the market are now so "non-integrated" that they need what? More "AI" slop.
Sure sounds like a need for more "AI" and more slop.
GTFO, please.
Wording schwording (Score:5, Insightful)
So, what are those vulnerabilities with AI, and how can this new tool solve them?
Looking forward.
Microsoft admin of github? (Score:4, Insightful)
Perfect storm of mediocre (Score:1)
Microsoft hasn't been able to do proper security - or proper development for that matter - in half a century, and AI is notorious for pissing out poor quality code.
Glad I only use the git part of Github.
If only Microsoft saw some sense and quit pushing this disaster of a technology - or at least gave people the option to leave it out of their activities. Fuck this AI shit, seriously. It's getting really tiring now...
AI threat detection success rate is low (Score:3)
My company uses Mend, among other tools, to look for code vulnerabilities. Mend also uses AI. When reviewed by human developers, the vast majority of Mend reports are false positives. I doubt Microsoft can do better.