Book a DemoSupport

AI Wars Playing Out in Application Attacks and Defenses

Posted On

by

Deb Radcliff

Deb Radcliff interviews Bugcrowd founder and white hat hacker, Casey Ellis.

As if protecting applications wasn’t tough enough, attackers are now leveraging AI to find and exploit application vulnerabilities faster, outpacing patch efforts and evading security. This especially applies to embedded systems and open-source libraries, and all along the software supply chain.

The trend of using AI to speed up attacks and vulnerability hunting started long before Large Language Models (LLMs) like ChatGPT arrived, says Casey Ellis, founder of Bugcrowd, which outsources penetration testing and bug discovery for enterprise clients. But now LLM-based AI is enabling attackers to find vulnerabilities and write scrips to exploit them, even faster. But, in response, defenders are also utilizing AI in their development lifecycles and in their network protections.  

Casey describes today’s LLM-based AI as a “tool, a target, and a threat,” adding that AI as a target is the most “net new” research area that attackers are working on. He also explains how AI as a tool works for both attackers and defenders. As an example, he points to how both sides are starting to leverage AI to find bugs in code in open-source libraries and along the software supply chain. 

“Finding vulnerabilities in open-source libraries is not hard. It’s like shooting fish in a barrel,” he jokes. AI only speeds up the process—not only for attackers but also defenders. “How do you help the maintainer find and fix these bugs? It goes back to using LLMs. Expect to see improvements over time with LLMs making developers and maintainers more efficient.” 

But don’t expect AI to replace human attackers, developers, testers or defenders, Casey cautions. For optimal outcomes, humans need AI as much as AI needs humans. “My favorite analogy is like the Iron Man suit: Tony Stark is weaker than he could be, and the suit without Tony Stark isn’t as creative and intelligent as it needs to be. You put these together and we have this force multiplier.”  

Click here to learn more.

Resources:

GEN-AI Won’t Replace Humans or SAST in the SDLC – Interview with MITRE’s Tracey Bannon

Can AI Help Fix Security Vunerabilities – column by CodeSecure’s Mark Hermelling

Share post:

A person with short red hair smiling and wearing hoop earrings, with a blurred green background.

Deb Radcliff

Deb Radcliff is an award-winning journalist, sought-after cybersecurity analyst, and author of the popular, award-winning Breaking Backbones hacker thriller trilogy books and scripts destined for streaming series. Currently, as an independent author and industry analyst, Radcliff runs a syndicated column and video interview series focused on DevSecOps for critical embedded systems; areas of coverage include software supply chain and SBOMs. She is also a regular contributor to CSO Online and podcast host.

Other Posts

Check out all other blog posts and stay informed.

view all posts