軟件漏洞令專家難以招架,人工智能或許能夠提供幫助
Christian Vasquez
2025-03-28
圖片來源:Jakub Porzycki/NurPhoto via Getty Images
在網(wǎng)絡(luò)安全領(lǐng)域工作20多年后,大衛(wèi)·林德納(David Lindner)已做好準(zhǔn)備迎接行業(yè)變革,。
作為網(wǎng)絡(luò)安全公司Contrast Security的首席信息安全官,,他正在推動(dòng)同行們從傳統(tǒng)的安全從業(yè)者轉(zhuǎn)型為人工智能的早期采納者。他在安全領(lǐng)域工作了很長時(shí)間,他認(rèn)為該行業(yè)需要借助人工智能實(shí)現(xiàn)變革,,以免在遭受重大網(wǎng)絡(luò)攻擊后才被迫采取行動(dòng),。
林德納表示:“安全領(lǐng)域在適應(yīng)變化方面,有時(shí)表現(xiàn)得極為遲緩,。我認(rèn)為我們正處在變革的邊緣,。我確實(shí)認(rèn)為人們將不得不開始采取不同的做法?!?/p>
多年來,,軟件生態(tài)系統(tǒng)一直飽受漏洞困擾,為惡意黑客提供了大量可乘之機(jī),。與此同時(shí),,軟件的產(chǎn)出速度不斷加快,已知缺陷也層出不窮,。
林德納警告稱,,開發(fā)人員利用人工智能加速軟件開發(fā),這不僅會(huì)擴(kuò)大黑客的攻擊目標(biāo)范圍,,還會(huì)催生更多漏洞,。他認(rèn)為,應(yīng)對策略在于更廣泛地應(yīng)用人工智能,,以抵消其可能帶來的負(fù)面影響,,并助力企業(yè)確定網(wǎng)絡(luò)安全工作的優(yōu)先事項(xiàng)。
確定優(yōu)先事項(xiàng)在一定程度上取決于每家公司所獨(dú)有的基礎(chǔ)設(shè)施以及所運(yùn)營的產(chǎn)品特性,。林德納指出,這是一項(xiàng)艱巨的任務(wù),,需要耗費(fèi)大量資源,。
美國國家計(jì)算機(jī)通用漏洞數(shù)據(jù)庫(National Vulnerability Database)是一個(gè)由聯(lián)邦政府運(yùn)營的軟件漏洞數(shù)據(jù)庫,每天追蹤并發(fā)布上百個(gè)嚴(yán)重程度不一的漏洞,。部分漏洞可忽略不計(jì),,而另一些則應(yīng)立即修復(fù)或采取降低風(fēng)險(xiǎn)措施。
等開發(fā)人員著手修復(fù)漏洞時(shí),,往往又有新的漏洞加入到本就積壓已久的漏洞列表中,。軟件安全公司Veracode的一份報(bào)告顯示,在近一半的機(jī)構(gòu)中,,關(guān)鍵漏洞在軟件中的滯留時(shí)間超過一年,,局面幾乎失控。
林德納用應(yīng)用安全領(lǐng)域的行業(yè)術(shù)語解釋道:“確定優(yōu)先順序始終是應(yīng)用安全工作的核心所在,,因?yàn)樵陉P(guān)鍵環(huán)節(jié),,信息匱乏的問題長期存在。”
林德納的技術(shù)生涯始于開發(fā)人員,,隨后迅速對安全領(lǐng)域產(chǎn)生了興趣,。他最初在一家中型保險(xiǎn)公司從事安全領(lǐng)域的工作,彼時(shí)該公司正初步探索應(yīng)用網(wǎng)絡(luò)安全之道,。
林德納剛加入安全團(tuán)隊(duì)時(shí),,就接觸到了滲透測試領(lǐng)域,即企業(yè)委托專業(yè)黑客嘗試找出其產(chǎn)品中的漏洞和安全隱患,。
林德納表示:“我們聘請了第三方開展(滲透)測試,,我當(dāng)時(shí)眼前一亮。我心想,,哇,,這太棒了。太酷了,,于是我決定去攻讀碩士學(xué)位,。”
2006年獲得碩士學(xué)位后,,他在應(yīng)用安全領(lǐng)域工作了約15年,。之后,林德納先是進(jìn)入IBM工作,,然后在同一領(lǐng)域從事咨詢工作約8年,。2008年,他加入了一家安全公司,,該公司的部分業(yè)務(wù)后來剝離出來,,最終成為Contrast Security。
如今,,他認(rèn)為無論人們是否做好準(zhǔn)備,,生態(tài)系統(tǒng)已準(zhǔn)備好迎接重大變革。軟件開發(fā)人員和網(wǎng)絡(luò)安全從業(yè)人員就如同置身于一艘滿是漏洞的船上,,而他們手中用以應(yīng)對危機(jī)的水桶同樣滿是漏洞,。林德納說:“諸多表象已然改變,但本質(zhì)上卻又仿佛一切如舊,?!?/p>
修復(fù)漏洞對林德納而言,往往是一個(gè)令人沮喪的話題,,這很大程度上源于他多年來目睹的情況始終未見好轉(zhuǎn),。例如,專注于軟件安全的非營利機(jī)構(gòu)開放式Web應(yīng)用程序安全項(xiàng)目(OWASP)每年都會(huì)發(fā)布十大web應(yīng)用安全風(fēng)險(xiǎn),,而據(jù)林德納所言,,這些年度風(fēng)險(xiǎn)榜單中的條目總是大同小異,。
林德納推動(dòng)更廣泛地采用人工智能,部分原因是他聽到一些首席信息安全官以安全和隱私問題為由抵制人工智能工具,。然而,,他指出,在生成式軟件風(fēng)靡之前,,多年來,,該行業(yè)就已經(jīng)以各種形式使用人工智能了。比如,,電子郵件垃圾郵件過濾器就是機(jī)器學(xué)習(xí)的早期應(yīng)用實(shí)例,,很快便成為處理大量垃圾郵件的常規(guī)解決方案。
林德納說:“我希望看到人們接受并利用新技術(shù),。人工智能并不可怕,。它很強(qiáng)大,會(huì)對我們有所幫助,?!保ㄘ?cái)富中文網(wǎng))
譯者:中慧言-王芳
在網(wǎng)絡(luò)安全領(lǐng)域工作20多年后,大衛(wèi)·林德納(David Lindner)已做好準(zhǔn)備迎接行業(yè)變革,。
作為網(wǎng)絡(luò)安全公司Contrast Security的首席信息安全官,,他正在推動(dòng)同行們從傳統(tǒng)的安全從業(yè)者轉(zhuǎn)型為人工智能的早期采納者。他在安全領(lǐng)域工作了很長時(shí)間,,他認(rèn)為該行業(yè)需要借助人工智能實(shí)現(xiàn)變革,,以免在遭受重大網(wǎng)絡(luò)攻擊后才被迫采取行動(dòng)。
林德納表示:“安全領(lǐng)域在適應(yīng)變化方面,,有時(shí)表現(xiàn)得極為遲緩,。我認(rèn)為我們正處在變革的邊緣。我確實(shí)認(rèn)為人們將不得不開始采取不同的做法,?!?/p>
多年來,軟件生態(tài)系統(tǒng)一直飽受漏洞困擾,,為惡意黑客提供了大量可乘之機(jī)。與此同時(shí),,軟件的產(chǎn)出速度不斷加快,,已知缺陷也層出不窮。
林德納警告稱,,開發(fā)人員利用人工智能加速軟件開發(fā),,這不僅會(huì)擴(kuò)大黑客的攻擊目標(biāo)范圍,還會(huì)催生更多漏洞,。他認(rèn)為,,應(yīng)對策略在于更廣泛地應(yīng)用人工智能,以抵消其可能帶來的負(fù)面影響,并助力企業(yè)確定網(wǎng)絡(luò)安全工作的優(yōu)先事項(xiàng),。
確定優(yōu)先事項(xiàng)在一定程度上取決于每家公司所獨(dú)有的基礎(chǔ)設(shè)施以及所運(yùn)營的產(chǎn)品特性,。林德納指出,這是一項(xiàng)艱巨的任務(wù),,需要耗費(fèi)大量資源,。
美國國家計(jì)算機(jī)通用漏洞數(shù)據(jù)庫(National Vulnerability Database)是一個(gè)由聯(lián)邦政府運(yùn)營的軟件漏洞數(shù)據(jù)庫,每天追蹤并發(fā)布上百個(gè)嚴(yán)重程度不一的漏洞,。部分漏洞可忽略不計(jì),,而另一些則應(yīng)立即修復(fù)或采取降低風(fēng)險(xiǎn)措施。
等開發(fā)人員著手修復(fù)漏洞時(shí),,往往又有新的漏洞加入到本就積壓已久的漏洞列表中,。軟件安全公司Veracode的一份報(bào)告顯示,在近一半的機(jī)構(gòu)中,,關(guān)鍵漏洞在軟件中的滯留時(shí)間超過一年,,局面幾乎失控。
林德納用應(yīng)用安全領(lǐng)域的行業(yè)術(shù)語解釋道:“確定優(yōu)先順序始終是應(yīng)用安全工作的核心所在,,因?yàn)樵陉P(guān)鍵環(huán)節(jié),,信息匱乏的問題長期存在?!?/p>
林德納的技術(shù)生涯始于開發(fā)人員,,隨后迅速對安全領(lǐng)域產(chǎn)生了興趣。他最初在一家中型保險(xiǎn)公司從事安全領(lǐng)域的工作,,彼時(shí)該公司正初步探索應(yīng)用網(wǎng)絡(luò)安全之道,。
林德納剛加入安全團(tuán)隊(duì)時(shí),就接觸到了滲透測試領(lǐng)域,,即企業(yè)委托專業(yè)黑客嘗試找出其產(chǎn)品中的漏洞和安全隱患,。
林德納表示:“我們聘請了第三方開展(滲透)測試,我當(dāng)時(shí)眼前一亮,。我心想,,哇,這太棒了,。太酷了,,于是我決定去攻讀碩士學(xué)位?!?/p>
2006年獲得碩士學(xué)位后,,他在應(yīng)用安全領(lǐng)域工作了約15年。之后,,林德納先是進(jìn)入IBM工作,,然后在同一領(lǐng)域從事咨詢工作約8年,。2008年,他加入了一家安全公司,,該公司的部分業(yè)務(wù)后來剝離出來,,最終成為Contrast Security。
如今,,他認(rèn)為無論人們是否做好準(zhǔn)備,,生態(tài)系統(tǒng)已準(zhǔn)備好迎接重大變革。軟件開發(fā)人員和網(wǎng)絡(luò)安全從業(yè)人員就如同置身于一艘滿是漏洞的船上,,而他們手中用以應(yīng)對危機(jī)的水桶同樣滿是漏洞,。林德納說:“諸多表象已然改變,但本質(zhì)上卻又仿佛一切如舊,?!?/p>
修復(fù)漏洞對林德納而言,往往是一個(gè)令人沮喪的話題,,這很大程度上源于他多年來目睹的情況始終未見好轉(zhuǎn),。例如,專注于軟件安全的非營利機(jī)構(gòu)開放式Web應(yīng)用程序安全項(xiàng)目(OWASP)每年都會(huì)發(fā)布十大web應(yīng)用安全風(fēng)險(xiǎn),,而據(jù)林德納所言,,這些年度風(fēng)險(xiǎn)榜單中的條目總是大同小異。
林德納推動(dòng)更廣泛地采用人工智能,,部分原因是他聽到一些首席信息安全官以安全和隱私問題為由抵制人工智能工具,。然而,他指出,,在生成式軟件風(fēng)靡之前,,多年來,該行業(yè)就已經(jīng)以各種形式使用人工智能了,。比如,,電子郵件垃圾郵件過濾器就是機(jī)器學(xué)習(xí)的早期應(yīng)用實(shí)例,很快便成為處理大量垃圾郵件的常規(guī)解決方案,。
林德納說:“我希望看到人們接受并利用新技術(shù),。人工智能并不可怕。它很強(qiáng)大,,會(huì)對我們有所幫助,。”(財(cái)富中文網(wǎng))
譯者:中慧言-王芳
After spending more than 20 years in the cybersecurity field, David Lindner is ready for the industry to change.
As chief information security officer at cybersecurity firm Contrast Security, he’s pushing for fellow CISOs to be more early-adopter enthusiasts than old school security practitioners. Having spent a good portion of his career in security, he thinks the industry needs to change by using artificial intelligence before a major cyberattack forces its hand.
“Security is just slow to adapt sometimes,” Lindner said. “I think we’re on the precipice of something different. I really think people are going to have to start doing things differently.”
For years, the software ecosystem has been infested with bugs, leaving malicious hackers with a buffet of options to exploit. Meanwhile, software continues to be churned out at an ever increasing pace and rife with known defects.
Lindner warns that developers using artificial intelligence to speed up software production will increase the amount of options that hackers can attack as well as increase the number of vulnerabilities. The answer is to fight the consequences of artificial intelligence with more artificial intelligence, Lindner said, to help organizations determine what their cybersecurity priorities should be.
Deciding priorities depends partly on the unique infrastructure and products each company owns and operates. It’s a monumental task that takes up huge resources, argues Lindner.
The National Vulnerability Database, a federally-run repository of software vulnerabilities, tracks and releases over a hundred bugs daily that vary in severity. Some bugs can be safely ignored, but others should be immediately patched or the risk mitigated.
By the time developers can get around to fixing bugs, there are often new ones to join the already long backlog of vulnerabilities. The situation is so unmanageable that nearly half of all organizations have had a critical vulnerability remain in their software for longer than a year, a report by the software security firm Veracode found.
“Prioritization has been forever the vein of AppSec’s existence, because we just don’t ever have enough information where it matters,” Lindner said, using industry jargon for application security.
Lindner began his technology career as a developer before quickly finding an interest in security. He started in the security field at a medium-sized insurance company that was just beginning to explore application cybersecurity.
Lindner had just joined the security team when he discovered the world of penetration testing, or when professional hackers are paid by companies to try to find bugs and vulnerabilities in their products.
“We hired a third party to come in and run a [penetration] test and my eyes just kind of lit up,” Lindner said. “I was like holy s***, this is awesome. This is so cool and I decided to go get my master’s.”
He spent the better part of 15 years in application security after finishing his master’s in 2006. Lindner next went to IBM before consulting in the same space for around eight years. In 2008 he went to a security firm, of which a portion would spin out to eventually become Contrast Security.
Now, he believes the ecosystem is ready for major change—whether people are ready for it or not. Software developers and cybersecurity practitioners are essentially in a boat filled with holes, armed with a bucket that is also filled with holes. “A lot has changed, but nothing has changed,” Lindner said.
Fixing vulnerabilities is often a frustrating topic for Lindner, largely because he’s been seeing the same thing for years. For example, the Open Worldwide Application Security Project (OWASP), a nonprofit organization that focuses on software security, releases the top 10 web application security risks every year. And every year, the top 10 risks are largely the same, Lindner said.
Lindner’s push for more AI is partly driven by CISO’s he has heard from who oppose using AI tools, citing security and privacy issues. However, he says the industry has been using AI in one form or another for years before generative software became popular. For example, email spam filters is an early use of machine learning that quickly became a norm to deal with the deluge of unwanted emails.
“I want to see people embrace it and take advantage of newer things,” Lindner said. “AI is not scary. It’s powerful and it’s going to help us.”
財(cái)富中文網(wǎng)所刊載內(nèi)容之知識(shí)產(chǎn)權(quán)為財(cái)富媒體知識(shí)產(chǎn)權(quán)有限公司及/或相關(guān)權(quán)利人專屬所有或持有,。未經(jīng)許可,禁止進(jìn)行轉(zhuǎn)載,、摘編,、復(fù)制及建立鏡像等任何使用,。
