OpenSSF Head Delivers AI Warning for Application Security
The overall state of application security is likely to worsen if organizations fail to take note of advances in artificial intelligence (AI).
Brian Behlendorf, general manager for the Open Source Security Foundation (OpenSSF) this week warned attendees of the CloudNative Security North America conference that organizations need to assume it is only going to get easier to launch, for example, automated sphear phishing attacks against development teams.
Given enough time, all bugs are discoverable and exploitable, noted Behlendorf. As advances such as AI models based on generative pretrained models (GPT) become more accessible, it’s only a matter of time before they will be used by cybercriminals to launch more sophisticated attacks, he said.
Examples of such potential attacks include the use of a corrupted AI model to deliberately create software defects that could be exploited after being deployed in a production environment. Another potential attack could use AI-generated pull requests designed to slow or stop reaction to a newly discovered zero-day vulnerability, noted Behlendorf. It’s even possible to corrupt two-factor authentication processes, he added.
The ways in which the latest generation of AI platforms might be used for nefarious purposes by cybercriminals has been well documented. Too many organizations are betting on transitioning to zero-trust architecture to thwart these and other threats. However, there’s no such thing as a zero-trust architecture, said Behlendorf. Every application, to varying degrees, makes assumptions, has biases and default settings that can be exploited, he noted.
The best cybersecurity strategy any organization can pursue is to reduce the size of the attack surface as much as possible, added Behlendorf. As part of that effort, it’s more critical than ever to attach “expiration dates” using a software bill of materials (SBOM) that enables organizations to better assess their overall level of risk, he added. There are too many instances of developers using outdated software or, worse yet, software that is no longer being actively updated to remediate vulnerabilities, Behlendorf noted. Software that has not been updated in a reasonable amount of time should preemptively generate a common vulnerabilities and exposure (CVE) notice, he added.
The OpenSSF is leading an effort to make sure open source software running in production environments is secure, improve vulnerability discovery and remediation and reduce the amount of time required to patch software. The challenge many organizations are encountering is the assumptions being made about the relative security of both the open source and proprietary software they employ.
Many contributors to open source software assume that security is the responsibility of the organization that uses the free software that they were gracious enough to create. While that “user beware” approach to security is understandable from individuals that are not compensated for their efforts, there’s clearly a balance to be struck between taking no responsibility for security and giving end users more confidence in the code being provided. The issue is most developers don’t have a lot of security expertise, so the odds mistakes will be made that cybercriminals can exploit remains high.
There are proposals such as the Cyber Resiliency Act being advanced within the European Union that would make developers more accountable for the software they created if they received any kind of compensation for it. However, those proposals need to be crafted in a way that doesn’t discourage developers from continuing to innovate, noted Behlendorf.
The good news is that, arguably, there has never been greater focus on securing software supply chains. The challenge is that advances in AI may be outpacing those efforts.
