Industry reacts to Gold Eagle vulnerability management plan

<p>The tech industry is cautiously optimistic about the U.S. government’s announcement this week to create a centralized clearinghouse for AI-discovered vulnerabilities. The key, executives and analysts said, will be how well the new initiative executes on its mission to collect and sort information on security flaws.</p>
<p>If the new Gold Eagle project simply produces huge quantities of unvalidated vulnerability reports, then a big problem only becomes worse, observers worry.</p>
<p>Unveiled Tuesday by the Trump administration, Gold Eagle is an effort to confront the growing challenge of software vulnerabilities being exposed by advanced LLMs. The volume of AI-found flaws is overwhelming human developers and security professionals. This creates a new and unpleasant reality for maintainers of code and the IT admins handling <a href=”https://www.techtarget.com/searchenterprisedesktop/definition/patch-management”>patch management</a> and day-to-day security updates.</p>
<section class=”section main-article-chapter” data-menu-title=”Too many flaws, too few fixes”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Too many flaws, too few fixes</h2>
<p>Testing done with Anthropic’s Mythos LLM, for example, reportedly uncovered 10,000 significant vulnerabilities in just <a href=”https://www.techtarget.com/searchsecurity/news/366643606/First-month-of-Mythos-Preview-testing-exposes-10K-flaws”>one month of screening work under Project Glasswing</a>, a cross-industry coalition of companies granted early access to Mythos. Some of the vulnerabilities, Anthropic said, had gone unnoticed for decades.</p>
<p>Recent tests found gaps even in <a href=”https://apnews.com/article/anthropic-mythos-ai-classified-systems-vulnerabilities-testing-3e8762c0527c4d8ed657cbe48c84a718″>highly guarded, classified U.S. government systems</a>.</p>
<p>On a parallel track, <a href=”https://www.techtarget.com/searchsecurity/news/366643546/For-CISOs-dawn-of-OpenAI-Daybreak-brings-good-and-bad-news”>OpenAI’s Daybreak initiative</a> aims to make vulnerability verification and remediation more efficient by uniting GPT models and the Codex Security system.</p>
<p>The government’s Gold Eagle initiative is important recognition that frontier LLMs are forcing organizations to rethink how they remediate software, said Aaron Mitchell, CEO at HeroDevs, a company that helps companies secure their source software.</p>
<p>”Gone are the days of fixing vulnerabilities as they come in,” Mitchell said. “Security and engineering teams can’t keep up with the volume of findings or the amount of change required to continuously upgrade software.”</p>
<p>AI’s astonishing ability to find security weaknesses in code presents a monumental challenge — even to organizations that adhere to <a href=”https://www.techtarget.com/searchsecurity/definition/cyber-hygiene”>cyber hygiene</a> best practices and are diligent about <a href=”https://www.techtarget.com/searchsecurity/tip/Types-of-vulnerability-scanning-and-when-to-use-each”>vulnerability scanning efforts</a>. The scale of the problem and potential for widespread harm to IT systems has gotten Washington’s attention, with the Trump administration <a href=”https://www.cybersecuritydive.com/news/cisa-ai-trump-executive-order-implementation/822001/”>issuing an executive order</a> in June calling for action on the AI front.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”The prioritization problem”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>The prioritization problem</h2>
<p>Gold Eagle is a step in the right direction, said Tyler Fordham, director of offensive security at Dark Wolf, a DevSecOps services company, but he sees potential problems with a government-run, AI-driven clearinghouse. If it simply dumps raw, automated alerts on IT teams, it will lead to patch fatigue and confusion about which vulnerabilities to prioritize, he said. Plus, a vast centralized database presents an inviting target for state-sponsored threat actors.</p>
<p>”For Gold Eagle to succeed, it has to be built as a secure resource that supports and funds defenders, not just another federal compliance initiative telling people what to fix,” Fordham said.</p>
<p>A centralized queue of endless technical information won’t do much to solve problems, said Joshua Copeland, cybersecurity director at Crescendo, which makes AI-based customer-experience tools.</p>
<p>”Gold Eagle will achieve success only if it functions as a decision and remediation engine, rather than merely serving as an advanced vulnerability collection system,” said Copeland, who is also an adjunct professor at Tu

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Search Security Resources and Information from TechTarget

Read the original article: