Towards Vulnerability Operations
Discovering a vulnerability is a rush. If you have performed any pen testing, red teaming, or bug hunting, you know the feeling. It's exhilarating! When you find a clever way to subvert a system – a hack – your synapses fire as strongly as they would if you had made an original scientific discovery. You could certainly call finding vulnerabilities innovative, which helps explain why vulnerability discovery receives so much attention. Plenty of tools exist to automate vulnerability scanning (or monitor your attack surface, if you prefer). The same goes for bug bounty platforms incentivizing researchers to identify the more complex vulnerabilities most scanners are not tuned to detect. Large language models only exacerbate this glut. It is easy to imagine a world in which AI agents turn automated scanning into autonomous scanning, soaking up most of the intricate work done by the best bug bounty hunters and leaving security engineers paralyzed by the enormous amount of software that needs fixing.
Let's agree we are in no danger of running out of vulnerabilities to remediate. That leaves us with the boring, unglamorous task of patching. If the speed at which patches are rolled out can't match the speed at which vulnerabilities are found, advantage attacker. Even several months after the initial announcement of Project Glasswing, very few of the vulnerabilities identified have been patched. Yet there are reasons to be optimistic that this will not be the case for long. The ability to patch software is closely related to the ability to write secure code, an area where we know AI is improving. We should see the patching capabilities of AI models follow suit.
Assuming patching catches up with vulnerability discovery sometime soon, where do we go from here? Increasing the volume of vulnerabilities and patches may only serve to throw sand in the gears of a well-functioning security team. As continuous processes, vulnerability discovery and patching can be thought of as security operations (in the broad sense): work done in perpetuity to manage renewing sources of risk, even if you don't do that work yourself. (Keeping agents autonomous falls under the category of security operations too.)
The bottleneck, then, becomes good taste. Not something easily automatable. At first, it will be the good taste to determine whether a generated patch will mitigate a risk as intended. Finally, it will be the good taste to judge whether a patch is worth the effort at all. Understanding those nuances and making the right tradeoffs is the job of the security engineer.