If Project Glasswing, and similar projects from other major AI vendors, increase the stream of vulnerability identifications by 10 or more times, will vendors be able to triage and patch them in a timely manner? Vendors have historically been notoriously slow to patch known security issues. Microsoft, for example, recently argued with a security researcher who went public with holes because he felt that Microsoft was too slow in addressing them.
And even if those vendors can keep up, are enterprise SOCs going to be able to keep up with the avalanche of patches? And if extensive automation is deployed to generate those patches, will CISOs trust them enough to let them be deployed without manual verification? Trust is not a common CISO trait.
“What each partner has in common is that a successful attack on their codebase could be catastrophic. For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security,” Anthropic said in its blog post announcing the new participants. “This expansion is the next step toward our long-term goals: for AI to make all software more secure, and for us to help the industry adjust to how AI could change many of the core assumptions of cybersecurity.”
Glasswing was announced on April 7 and was initially supported by AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Okta later confirmed that it was also involved.
