My hot take on the vulnpocalypse:
-
My hot take on the vulnpocalypse:
We don't have more vulnerabilities than we had before. The vulnerabilities were always there, we just didn't know they existed. But importantly, for moderately sophisticated attackers, who only have to find a relatively low number of vulns to begin with, not much has changed. Yeah it's a little bit cheaper, but finding vulns wasn't all that difficult, depending on the target. For defenders otoh, making the finding of vulns cheaper is theoretically a good thing, but we already had not enough capacity to fix the vulns found by fuzz testing and similar methods before, so this is just adding on the pile of stuff we know is broken, but can't keep up with fixing it. The net effect seems to be that we made triage more expensive. Yay.
-
My hot take on the vulnpocalypse:
We don't have more vulnerabilities than we had before. The vulnerabilities were always there, we just didn't know they existed. But importantly, for moderately sophisticated attackers, who only have to find a relatively low number of vulns to begin with, not much has changed. Yeah it's a little bit cheaper, but finding vulns wasn't all that difficult, depending on the target. For defenders otoh, making the finding of vulns cheaper is theoretically a good thing, but we already had not enough capacity to fix the vulns found by fuzz testing and similar methods before, so this is just adding on the pile of stuff we know is broken, but can't keep up with fixing it. The net effect seems to be that we made triage more expensive. Yay.
@sophieschmieg I'm hoping that we can fix the initial wave of issues and then just have a higher bar for committing new code where we can find or avoid the issues before it's submitted instead of after the fact.
-
@sophieschmieg I'm hoping that we can fix the initial wave of issues and then just have a higher bar for committing new code where we can find or avoid the issues before it's submitted instead of after the fact.
@tess
We've been trying for decades
Maybe GenAI will help? There are still a lot of products/projects out there with lousy testing discipline/coverage though. -
@sophieschmieg I'm hoping that we can fix the initial wave of issues and then just have a higher bar for committing new code where we can find or avoid the issues before it's submitted instead of after the fact.
@tess
Higher bar for committing code? That sounds like a bottleneck that's going to slow down sales. We don't have time to refine the code we've got! We need to push out new features, then more new products, especially since we can do that much faster now with our machine that rapidly generates vulnerable code!
@sophieschmieg -
R relay@relay.infosec.exchange shared this topic
-
My hot take on the vulnpocalypse:
We don't have more vulnerabilities than we had before. The vulnerabilities were always there, we just didn't know they existed. But importantly, for moderately sophisticated attackers, who only have to find a relatively low number of vulns to begin with, not much has changed. Yeah it's a little bit cheaper, but finding vulns wasn't all that difficult, depending on the target. For defenders otoh, making the finding of vulns cheaper is theoretically a good thing, but we already had not enough capacity to fix the vulns found by fuzz testing and similar methods before, so this is just adding on the pile of stuff we know is broken, but can't keep up with fixing it. The net effect seems to be that we made triage more expensive. Yay.
@sophieschmieg 100% agree but I’ve one recent observation to add. Mythos reporting got our C-levels’ attention in a big way. This has had other tangential benefits. For example, our purple team (of which I’m a participant) have for many, many months (nearly two years now) recommended expanding our red team and increasing the number and type of penetration tests to include the company’s new AI “employees.” That was always met with a, “it’ll interfere with business development” denial. This week they came to us and asked how long would it take to ramp up. The plan had already been laid out and all that remains is to get stakeholders’ formal approval to test their new toys. That’s now assured because they are asking for it. It’ll start next week. And while vulns may not always be patched quickly, I feel it really lowers the risk to have a few well informed mitigations in place either via code, policies or SOP. Sometimes a little fear can move the needle in significant ways.
-
My hot take on the vulnpocalypse:
We don't have more vulnerabilities than we had before. The vulnerabilities were always there, we just didn't know they existed. But importantly, for moderately sophisticated attackers, who only have to find a relatively low number of vulns to begin with, not much has changed. Yeah it's a little bit cheaper, but finding vulns wasn't all that difficult, depending on the target. For defenders otoh, making the finding of vulns cheaper is theoretically a good thing, but we already had not enough capacity to fix the vulns found by fuzz testing and similar methods before, so this is just adding on the pile of stuff we know is broken, but can't keep up with fixing it. The net effect seems to be that we made triage more expensive. Yay.
Mythos appears to make it significantly cheaper to find vulnerabilities — little to no expertise/sophistication required — copy & paste a prompt and wait. If so, that significantly increases the pool of attackers.
