AISLE’s Open Analyzer — Finding and fixing vulnerabilities without gated frontier models
How about a company that’s working hard to make itself irrelevant?
Jaya Baloo, co-founder of cybersecurity company AISLE, said that in a way, its eventual goal is to make obsolete the thing that AISLE does. And that is, completely eliminating vulnerabilities in code.
Finding vulnerabilities is something the industry has done well, but remediating them hasn’t been. Just look at how many years cross-site scripting landed in the OWASP vulnerability Top 10.
Anthropic’s recent Claude Mythos Preview project shone a light on the volume of vulnerabilities AI can discover, and its Project Glasswing is a joint effort of a small cohort of industry leaders to create defenses. But some critics argue that the work should not be limited to just those participating companies, and question if actually delivering exploits helps attackers more than defenders.
“So, finding vulnerabilities was never a question that we had. We can find vulnerabilities with AI,” Baloo said. “The issue here is that Anthropic isn’t just finding vulnerabilities. Their claim is that they’re going through the exploit chain and actually delivering exploits. If you can create exploitability and you can find a newly mintable vulnerability, then you have a sort of exploit chain where you could potentially compromise new entities in this way.”
Baloo believes that the industry – which already wasn’t keeping up with vulnerability remediation before Mythos – could be using the new tidal wave of vulnerabilities as a bit of a scapegoat as to why these issues can’t be solved. “And that is not true,” she said, “because we already have a difficult time identifying critical assets within our infrastructure,” which complicates defense efforts regardless of vulnerability volume.
Since finding vulnerabilities has not been a problem, AISLE initially focused on remediation, intending to help companies fix problems across code, cloud, and infrastructure. This strategy relied on existing scanning technology, but AISLE quickly discovered that these scanners produce high volumes of false positives and critical false negatives. Because this initial source of truth was unreliable, AISLE shifted its focus and built its own scanner – Open Analyzer – to function as a reliable source of initial truth for vulnerability findings, without the need for gated frontier models. AISLE integrates with other scanners but prioritizes improving the flawed detection process.
In security scanning, context is paramount, Baloo explained. A vulnerability’s reachability from external sources is part of this context, but not the only part. Context enrichment involves determining how critical an asset is, understanding architectural placement, and tracking dependencies across repositories. This context improves scanner results, triage, and fixing propositions.
AISLE operates on the belief that the system surrounding the model is the key factor, not the model itself. They argue that models will only improve, and competition should focus on the framework rather than the underlying LLM . AISLE demonstrated this by proving that vulnerability discovery can be achieved using free, open-source, small LLMs running in parallel, achieving results comparable to Mythos. AISLE’s analyzer has also found novel vulnerabilities that closed models missed, confirming the system’s advantage. The company shares the tool without the exploit chain, focusing on proving the vulnerability.
AISLE’s ultimate aim is to make its own finding and fixing services obsolete. They envision a future marked by the eradication of vulnerabilities through secure coding agents, similar to how spell check eliminates spelling errors in documents.
This level of security is demanded by the growth of cyber physical systems, which include humanoid robots. The urgent to fix these vulnerabilities is highlighted by real-world security flaws, such as the remote exploitation of Unitree robots.
Baloo explained: “Last year, back, I think, in April, the robot dogs that are at every conference, the dogs that walk around everywhere, those are Unitree dogs. Those dogs were remotely exploitable, and then a couple of months later, Unitree lost their encryption keys, and they wound up on the internet. But it gets so much better. Unitree also builds a humanoid robot. Turns out that if you grab the encryption keys and … send it over Bluetooth Low Energy to the humanoid robot, you are now root on that robot. Then, that robot can scan locally for everything else in Bluetooth range, and it can find all the other robots and pwn all of them, and now you have your own robot army. We have to fix vulnerabilities because I do not want to have, like, an “I Robot” scenario.”
Correcting these flaws, she said, is essential to safeguard this increasingly interconnected world.
The post AISLE’s Open Analyzer — Finding and fixing vulnerabilities without gated frontier models appeared first on SD Times.
Tech Developers
No comments