Security and Vulnerability Management in Infrastructure
Engineering has become more specialized than ever. In this article, we explore
some of the contemporary practices and emerging trends.
Cyberthreats have been alarming as technology capabilities
grow for enterprises but with AI deployments and with AI-powered threat actors
now mainstream, the digital threat landscape is growing and changing faster
than ever. Just a few years ago, chatbots and copilots gained popularity,
organizations were contending with OWASP for web-based applications and
connectivity from mobile applications. The OWASP top 10 document identifies the
most critical security risks to web applications. With AI being so data voracious and models being so lightweight and hosted even in a browser
on a mobile device, researchers are discovering new impact every day. A
defense-in-depth strategy with fortified security posture at every layer and
continuous vulnerability testing throughout software development lifecycle, has
become a mainstream response against these threats.
Human-powered AI-enabled security testing remains vital
where vulnerabilities scanners fall short. The security researcher community
has played a phenomenal role in this area, constantly upgrading their skills,
and delivering ongoing value and even gaining the trust of risk-averse
organizations. Companies in turn are
defining their vulnerability reporting program and bug bounty awards in
compliance with the Department of Justice safe harbor guidelines.
Researchers and security experts are both aware that
Generative AI is one of the most significant risks impacting organizations
today, particularly with securing data integrity. As they upskill their AI
prowess, the AI testing engagements are gaining shape. The top vulnerability
reported to a bug bounty program is
cross-site scripting aka XSS and for penetration testing is misconfiguration. Usually,
researchers target bug bounty programs that focus more on real-world attack
vectors while security experts target penetration testing that uncovers more
systemic and architectural vulnerabilities. High-end security initiatives by
organizations have well-defined engagements with these information workers and
usually involving a broad scope and a select team of trusted researchers. The
results also speak for themselves with over 30% of valid vulnerability
submissions rated to be high or critical.
With the recent impact of CrowdStrike’s software causing
windows machines all across the world to fail and companies like Delta Airlines
suing for five hundred million dollars, the efforts to reduce common
vulnerabilities in production has never been emphasized more. Those companies
that are technologically savvy are getting far fewer reports for OWASP top 10
security risks than the industry average
No comments:
Post a Comment