Kathleen Moriarty

How Do We Manage Vulnerabilities in the Age of AI?

Author image
Kathleen Moriarty(community contributor)

5 min read

0
Article lead image

AI-assisted development is changing more than how software is written. It might also force us to reconsider the processes we use to identify, track, and manage vulnerabilities.


Vibe coding, where developers guide AI agents to build software rather than writing line-by-line code, and the use of AI to secure it has taken over. Even sophisticated developers have transitioned due to speed and the ability to 10x their work. The implications extend far beyond how we write software - they reach into how we discover, track, and remediate vulnerabilities. The downstream processes from software development must adapt.

Consider what happens when a developer alerts the AI of a discovered vulnerability. The likely pattern is that the AI will scan through the code looking for similar vulnerabilities and ask if they should be resolved as well. A thorough review of the code base is performed to remove that type of vulnerability.

Another possibility is that the code will be regenerated from the artefact, and other existing vulnerabilities may be reduced. The model or training data may have learned improved patterns for software architecture, alignment to zero trust, and API security improvements. Since the code is being reconstructed, the vulnerabilities you seek to fix may be resolved along with an entire set that was unknown.

The limits of traditional vulnerability tracking

That changes the question we should be asking about Common Vulnerability Enumeration (CVE).

CVE has long been the vulnerability tracking and distribution method for discovered vulnerabilities. CVEs tied to versions help to sort through which ones no longer apply. CI/CD pipelines where applications are pushed out from that pipeline operate differently than code bases that a vendor would provide updates to be deployed at customer sites.

For years, we have had a different model in cloud native architectures to patch and remediate vulnerabilities without this distributed impact to customers. There have also been noted issues on which CVEs should be prioritised.

Reconsidering CVEs in a CI/CD world

But what happens as entire codebases are written anew using more secure languages and updated architecture patterns? The existing set of vulnerabilities may be removed (or potentially replaced with some new ones, hopefully far fewer). Gradually we should see a much reduced necessity to track vulnerabilities as older more vulnerable software is deprecated in favour of updated coding languages, improved architectural patterns, and software assurance improvements through AI.

So here is the question worth raising: if a vulnerability is discovered and resolved within a platform managed in a CI/CD pipeline, and you know it is resolved, should the CVE go away?

From historical record to operational signal

The purpose of the catalog is to coordinate awareness and remediation across vendors and operators who might still be exposed. If the remediation is confirmed, automatic, and verifiable - and if no impacted version remains running in the wild - what does the active CVE still serve?

Keeping it as a historical record has value for retrospective analysis. But as a live signal in a threat feed, it is noise. We should be starting to think about the best mechanisms to track vulnerabilities in a highly dynamic environment where new code and patches can not only be generated quickly, but we can also shift workloads to use updated software due to the improved resilience enabled by cloud native platforms and CI/CD pipelines.

Revisiting CVSS

This dynamic speed doesn't just break how we track vulnerabilities (CVE); it also reshapes how we score their severity (CVSS). CVSS may shift to include considerations for the operating environment of code as well. The code may be vulnerable, but how vulnerable is it if the operating environment controls are considered? Not all workloads execute within a trusted execution environment (TEE) or secure enclave, but some do. Additionally, the system may be verifying changes in running code to quickly detect exploits of known vulnerabilities, so the harm may be reduced or prevented. A static base score that ignores all of that increasingly tells us less than it used to.

What remains vulnerable?

With numerous news articles stating vulnerabilities may go away, it's an exciting time. That may happen, but we are not there yet. Even once code is universally improved with use of languages that prevent memory safety vulnerabilities, we still have the possibility of embedded malicious code (insider threat) or hardware-based vulnerabilities that are resolved in software or firmware that may flag a problem (e.g. SPECTRE/Meltdown).

AI can rapidly rewrite software to work around hardware flaws, as with SPECTRE/Meltdown (speculative execution in hardware). In this case, the hardware itself remains the lagging anchor as the core problem. With software, it is possible to transition an entire codebase over a weekend to a language known to improve memory safety. Legacy code is quickly disappearing, and this will continue over the next few years.

The next evolution of vulnerability management

Don't just accept the outcomes. Actively participate in guiding associated process changes that follow from what we are seeing in an incredible evolution in software development.

CVEs, CVSS, and threat feeds were built for a slower, more static world. We should be stepping back to consider the implications not only to vulnerabilities and exploits, but to the processes we use to manage them and the implications to our environments.


This article was originally published over on the Security Bias blog.

0

You may also like

View more

About the author

Author image

Kathleen Moriarty, founder of SecurityBiaS is technology strategist and board advisor, working with SaaS providers on security to Build-in at Scale benefiting both the provider and their customer base. Adjunct Professor at Georgetown SCS, teaching Security Architecture and Design and Cyber Threat Intelligence. Formerly as the Chief Technology Officer, Center for Internet Security Kathleen defined and led the technology strategy, integrating emerging technologies working with under resourced organisations. Prior to CIS, Kathleen held a range of positions over 13 years at Dell Technologies, including the Security Innovations Principal in Dell Technologies Office of the CTO and Global Lead Security Architect for EMC Office of the CTO working on ecosystems, standards, risk management and strategy. In her early days with RSA/EMC, she led consulting engagements interfacing with hundreds of organisations on security and risk management, gaining valuable insights, managing risk to business needs. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS. Keynote speaker, podcast guest, frequent blogger bridging a translation gap for technical content, conference committee member, and quoted on publications such as CNBC and Wired. Kathleen achieved over twenty five years of experience driving positive outcomes across Information Technology Leadership, short and long-term IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College. Published Work: - Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain, July 2020.

Comments 0