𝗧𝗵𝗲 𝗔𝗳𝘁𝗲𝗿𝗺𝗮𝗿𝗸𝗲𝘁 𝗗𝗶𝗮𝗴𝗻𝗼𝘀𝗶𝘀

Jen Easterly recently shared a sharp diagnosis of cybersecurity. She said we do not have a cybersecurity problem. We have a software quality problem.

We spend decades building an industry to fix flaws that should never have existed.

The goal is to move security upstream. We must build security into the code from the start. We should not bolt it on later.

Her diagnosis is right. But her prescription is wrong.

Tools like Anthropic's Project Glasswing find vulnerabilities and help fix them. This is faster. It is cheaper. It is better.

But it is still an aftermarket solution.

Finding a bug faster is still finding a bug. Fixing it cheaper is still fixing it. The vulnerability still exists. It was created. It was deployed. Then the AI found it.

That is not the end of the aftermarket. That is just a faster aftermarket.

True upstream security uses deterministic rules. It does not use probabilistic models.

Real upstream security looks like this:

• Humans declare what must be true before code is written. • Machines verify every change against that declaration. • The system rejects anything that violates the rule.

This is how aviation and nuclear plants work. A pilot does not find mistakes after a flight. A flight computer prevents unsafe states during the flight.

In software, we should do the same.

If a vulnerability is predictable, we should declare it.

• Do not allow public S3 buckets. • Do not allow unauthenticated API requests. • Do not allow known critical flaws in dependencies.

If you declare these rules, the vulnerability never exists. You do not need to find it. You do not need to patch it. You do not need to spend money on AI to detect it.

AI is great for finding new, unknown patterns. But using an AI to check for known configuration errors is using the wrong tool. It is like using a poem to measure temperature when you have a thermometer. The thermometer is exact. The poem is just an opinion.

The best way to use AI is as a ratchet:

  1. AI finds a new type of vulnerability.
  2. Humans review the finding.
  3. Humans write a new rule to prevent that class of error forever.
  4. The machine enforces that rule automatically.

This makes the AI's job smaller every single day.

We do not need a silver bullet. We need a system of declarations, verification, and discovery.

Fuente: https://dev.to/bala_paranj_059d338e44e7e/the-aftermarket-she-diagnosed-is-the-aftermarket-she-prescribed-33bf

Comunidad de aprendizaje opcional: https://t.me/GyaanSetuAi