#vulnerability detection

A hundred years ago, bacterial infections could be routinely fatal, because antibiotics hadn’t been truly invented yet. Sure, many cultures over the course of human history had made the connection that certain types of mold could halt infection, but it wasn’t until the late 1920’s through the 1930’s that that relationship was tested and ‘codified’, for lack of a better word. Today, there are dozens of types of antibiotics, most of them made from synthetic ingredients, both for specific ratios of helpful to harmful and to keep things sterile so as not to exacerbate an injury or its side effects. No one is putting raw bread mold on a cut anymore. Nor is amputation an automatic response to infections like gangrene or aggressive bacteria, although there are exceptions (members of my family have needed surgery to save them from internal staph infections and I nearly lost my hand after a dog bite went gangrenous when I was young).

Why am I bringing this up? I often compare cybersecurity to medicine. Digital infections behave very similarly to biological ones, up to and including the necessity of occasional amputation (outright deletion or restoring to a previous version). As we become more well versed in how things can go wrong with our health, we also learn how to treat them, varying degrees of success notwithstanding. This is at the fundamental heart of what cybersecurity is, as well. As we are imperfect beings, so too are the products of our creativity, such as programming and coding. The more we learn about how those programs can go wrong, the more we learn how to remediate them. Or at the very least, we learn how to diagnose them better.

Ten days ago, I reported on a warning from the UK’s National Cyber Security Centre (NCSC) with regards to a tidal wave of patches and updates that would be coming on the heels of AI assisted vulnerability detection. A week ago, I wrote a report on scale, and how it affects the prevalence of issues and on how we disseminate them. Today, I have an article from VulnCheck detailing some hard numbers of how vulnerability disclosure has exponentially increased in this calendar year on my news feed.

Collaborations like Project Glasswing have shed a spotlight on just how many vulnerabilities are unaccounted for across operating systems dating back to the dawn of the internet age. It’s not perfect, certainly. Many false positives have been reported, which skew the overall numbers a bit. But the fact remains, there is a significant uptick in detection in recent months. It looks like a corresponding rise in flaws and bugs, but is it really? Or is it just that we’re now finding the ones that have always been there? A little from column A, a little from column B. Because, yes, scale is a factor. There are more and more programs and applications and open source development packages than ever before. Statistically, that makes it more likely that flaws will emerge. And with those higher amounts of vulnerabilities comes a higher attack ratio. Rule 34A stands; if it exists, it will be exploited.

What does this mean for the industry as a whole? In short: more work. And more need to have people trained to do it. AI tools are just that. Tools. They cannot replace real human judgment or action.

Whether this surge is simply inflated because of new detection tactics or is caused by an actual increase in flawed coding remains to be seen. Either way, defenders on every level of cybersecurity should be prepared for a backlog of issues that need fixing, and the pile will only grow. But it isn’t just in our hands. Enterprises should also be proactive, updating and patching often, practicing good digital hygiene and compliance for prevention...having a plan of action determined in the first place. An ounce of prevention is worth a pound of cure. It’s just as true digitally as it is medically. And it’s why your friendly neighborhood WISP exists. We’re here to help.