…if they are ethical and are hackers. At least that is what the bug bounty community thrives on …
When we think of cybersecurity today, some of the immediate buzzwords that come to mind are automation, machine learning (ML) and technological solutions.
Enterprises have introduced automated pipelines and the use of machine learning (ML) in their security software to safeguard their assets. Looking at how things are moving, these elements are surely here to stay. They help businesses optimize their processes, automate operations, independently scan and flag potential threats in their security system, therefore saving time, increasing productivity, and reducing costs of hiring.
The benefits are plenty, especially so in cybersecurity where identifying and eliminating cyber threats quickly is critical. However, there are some things that machines and technology cannot replace: the intrinsic characteristics of the human mind—the hacker advantage.
Is AI a security panacea?
Cybersecurity educator and hacker, Katie Paxton-Fear, noted: “We are seeing a trend towards automation and people building up these automated pipelines, and that might be considered simple AI, but fundamentally, you can never replace that human creativity. You still need a human at the end of the pipeline to decide whether something’s worth investigating or not.”
In today’s fast-paced world, the amount of information and data for security teams to go through are massive. As companies work overtime to push code, criminals work overtime to find ways to break in. It can often feel impossible to scale security with product development. Innovation is outpacing traditional security measures, and it will take a unique combination of man and machine for security to keep pace.
Automation can handle the volume of data, and catches security-related defects quickly throughout the software development lifecycle. It can quickly identify vulnerabilities they recognize, and learn patterns and trends over time. However, machines often miss rare, deep-rooted problems, like multi-stage vulnerabilities or complicated issues like Insecure Direct Object References (IDOR).
Cyber threats are constantly evolving, and AI needs time to relearn and retrain to keep up with the evolution of attacks. Moreover, the technology is still relatively new, and is known to be plagued with false positives. In addition, AI can also be exploited by cyber-criminals to spread malware, effectively crippling your security.
And that is why, the future of cybersecurity still lies in human intelligence. According to our data, ethical hackers find a software vulnerability every 2.5 minutes. In 77% of cases, public bug bounty programs receive their first vulnerability within the first 24 hours. For the US army, it only took 5 minutes. That is the speed of hackers and the power of crowdsourced security.
Hackers represent a global force for good, coming together to help address the growing security needs of our increasingly interconnected society. The community welcomes all who enjoy the intellectual challenge to creatively overcome limitations.
Some hackers are security engineers and consultants themselves, looking to sharpen their skills. Hacking part time has helped in their daily job, as they learn how to think like a hacker. The additional skill set also adds value to their resume, increasing their value to the company, and making them more hireable.
Until AI beats ethical hackers …
In an era of increasing uncertainty and unprecedented challenges, more security leaders are partnering with ethical hackers to make the internet a safer place. CISOs are augmenting security frameworks with hackers’ human creativity and always-on security efforts. Our data showed that the Asia Pacific region added 93% more bug bounty programs, while Latin and South America added 29%. The numbers show that hacker-augmented security has been embraced by risk-conscious entities like the US Department of Defense.
Today’s challenges demand scalability, creativity, and adaptability on an unprecedented scale, and ethical hackers can be a way to add security in meeting those demands. While AI and automation can handle the grunt work, organizations will still need skilled human eyes to see problems and solutions that current automation technologies cannot.