Below the Surface: The Iceberg of Known Vulnerabilities

Have you ever heard the saying, “Better the devil you know than the devil you don’t”? In short, it’s better to take a risk with something or someone you understand.

In cybersecurity, that’s not really the case. The devils we know are known vulnerabilities, documented holes or weaknesses in software and applications, and they’re both growing in number and still capable of wreaking havoc. According to Statista, the number of common vulnerabilities and exploits (CVEs) discovered per year is steadily increasing, with just over 29,000 discovered in 2023; as of August of this year, 25,583 more vulnerabilities have been added to the list.

At this point, you may be thinking, “But if the vulnerabilities are known, doesn’t that mean that they can be patched and secured?” The answer to that question is yes, but there are three key issues to contend with:

We’re thus left with a big problem, and the industry has tried a number of solutions.

Headcount Investment

If a company chooses to invest in increasing headcount, they quickly discover how expensive this can be, because security has to scale at a 1:1 headcount. Often, these companies then enter a cycle:

A company gets breached.
The company invests in increasing headcount to make security testing scalable.
Companies then experience fatigue or can’t see the benefits, and they ultimately end up reducing headcount again…
The company gets breached again.

Over the years, many security teams have focused on what I call a “single shining pillar” to try and prevent executives from thinking security spending can be reduced. This pillar is a single concrete accomplishment that executives can understand and use to justify cybersecurity budgets. However, this runs the risk of losing the big picture of security – essential when vulnerabilities keep piling up and a tech stack’s threat surface area grows. Either way, investing in headcount is unsustainable.

It’s true: cybersecurity can reap a number of benefits from AI. At my company, DefectDojo, we’ve had significant success using ML to automatically triage findings, remove duplicate findings, and learn from human-taken actions to perform more efficiently in the future. This level of automation can save a security team a significant amount of time.

However, we’re a long way from AI completely solving security. From what we’ve seen, large models struggle with accurately identifying security risks, and we think this is because the nature of security data is so non-uniform, disparate, or even nuanced. For example, detecting and mitigating cross-scripting is fundamentally different from blind SQL Injection, even though both types of vulnerabilities are injection based.

In addition, trusting a third-party model, GenAI or not, requires a company to trust another with its sensitive data. While companies like OpenAI take security seriously, the treasure trove of data used to train these models is possibly the biggest prize out there for hackers. It’s a safe assumption that bad actors are constantly trying to crack into these companies, and some attacks have succeeded, like an OpenAI breach in 2023 that thankfully doesn’t appear to have reached the company’s model development systems.

For now, AI is a useful tool, but it’s not a silver bullet.

DevSecOps

As a concept, DevOps is nearly old enough to vote in the US. Its younger sibling, DevSecOps, is catching on quickly. DevSecOps builds on DevOps by integrating security into development and operations. By employing its principles, security becomes a cultural practice, not a responsibility mostly shouldered by a single team or department. This produces the kind of scale needed to secure modern tech stacks – known vulnerabilities included.

DevSecOps integrates security testing and evaluations into every phase of software development, encouraging continuous collaboration between all three departments instead of following a one-and-done testing process. As a result, the entire business tech stack is more completely secured – because software has been made to be secured in the first place.

DevSecOps provides a single source of truth and data that can be quickly aggregated to give software and development teams the information they need to patch vulnerabilities before they become issues. This is a problem I’ve encountered myself – it’s why I created my company.

While there are always new cybersecurity threats to worry about, it’s important to get your fundamentals right, what Bessemer Venture Partners calls a “back to basics” approach. Without a foundationally sound approach, it doesn’t matter if you’re equipped to handle the latest threats like AI voice cloning. If you’re still shipping vulnerable software or failing to address CVEs, you’re leaving doors wide open to bad actors and cybercriminals.