It's Looking Like a Hot, Messy Summer for Security Teams as AI Finds Hidden Vulnerabilities
Arthur T Knackerbracket writes:
Time to start praying to the goddess of wisdom and war:
It's going to be a "messy" summer for security folks, especially when it comes to fixing the open source code that underpins their organizations.
That's according to Dan Lorenc, CEO and co-founder of Chainguard, a software supply-chain security company leading Athena, a newly formed coalition of about two dozen companies that wants to make the process of finding and fixing open source bugs "as easy to consume as possible."
The members have committed to using AI to prevent attacks on open source software. In addition to Chainguard, other founding member companies include BNY, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM, and PwC.
Many of these member companies are also partners withAnthropic's Project Glasswing and OpenAI Daybreak, which allow them to try out thepair's most advanced bug-hunting models. The coalition accepts vulnerability findings generated by all frontier models, according to Lorenc.
Athena has already processed more than 20,000 findings and developed over 2,000 patches across 500 open source projects.
In about three weeks, the coalition's first wave of bug disclosures will begin.
"This is going to be a messy summer for everyone," Lorenc told The Register in a phone interview.
[...] "Put yourself in the shoes of someone with Glasswing access," he said. "You get this crazy, new model that can find vulnerabilities everywhere, that no one had seen and you had missed for years with all of your other tooling. You run it on your code, and it finds tons of stuff in your first-party code, the stuff that you've written, and you fix all of that."
After running Mythos Preview on all of your organization's proprietary code, imagine pointing the model at an application. Most modern apps contain a mixture of code from different sources, mostly third-party. According to Lorenc, 95 percent of the code in any of these codebases is open source.
"When you run [advanced models] at the application level, you find a ton of vulnerabilities in open source code that you can't fix for yourself the same way you can that first-party code," Lorenc said. "So then you're left with: what to do?"
Read more of this story at SoylentNews.