COMMENTARY: Enterprises need a new operating model for securing software. The time it takes adversaries to weaponize new vulnerabilities can be measured in hours, while the time enterprises require to patch vulnerabilities is still measured in weeks, if not months, creating a gap that contributes directly to mounting financial risks.
Meanwhile, AI-assisted development is creating significantly more software—and more vulnerabilities—than ever before. The combination of those factors is untenable in the current cyber risk landscape.
We are now at a crisis point that has been building for some time. Years ago, when I was leading development at a major network security vendor, our team developed a high-performing product that worked superbly but had an Achilles’ heel: The high productivity it generated left us with thousands of vulnerabilities that had to be remediated manually before the software could be released into production.
This existential bottleneck clearly demonstrated that waiting for downstream security sign-off was becoming impossible; it simply couldn’t scale to match the rate of production.
The rate of production, however, is scaling exponentially. The arrival of generative artificial intelligence, in the form
of large language models (LLMs) such as Open AI’s ChatGPT, Anthropic’s Claude and GitHub Copilot (built of OpenAI’s GPT-4), delivered a significant productivity boost, which has since accelerated with the introduction of
vibe coding, in which developers issue high-level plain-language prompts and let AI handle all of the coding.
And now, the latest revolution in AI—AgenticOps—will ramp up production even further, overwhelming IT infrastructures and completely outpacing enterprises’ ability to secure software.
Agentic AI, in which AI agents act autonomously with a minimum of human intervention, is fueling
AgenticOps, which is being heralded as the new paradigm for business operations. AgenticOps draws on data from across all domains in complex, distributed environments—including cloud systems and containers at the edge—and can initiate actions that allow teams to react swiftly. In software development, Agentic AI can work in tandem with vibe coding, taking natural language prompts and then autonomously performing complex tasks.
For software development, the bottom line is that code is now created with extreme speed and efficiency. But as for cybersecurity, it’s crucial to know that as a result of these new trends, many more vulnerabilities are making their way into the software ecosystem.
The pace of exploits leaves patch schedules in the dust
The sizable gap between when software is released and how long it takes enterprises to fix vulnerabilities provides a sizable gap of time that attackers can exploit. A cybercriminal or other adversary needs about 72 hours to exploit a vulnerability. But enterprises generally have a goal to patch vulnerabilities
within 45 days, which is also the target set by CISA’s
Coordinated Vulnerability Disclosure Program. Some companies take much longer. Studies have found a range of response times when it comes to patching vulnerabilities, ranging from an average of
38 days to a more troubling window of
60 to 150 days.
By any measure, the period of time that vulnerabilities go before patching accounts for the majority of successful breaches, and the longer flaws remain unfixed, the greater the risk, and the greater the disruption once it gets exploited. Research by the
Ponemon Institute has found that the cost of a breach increases by $84,000 for every hour a vulnerability is left unpatched.
All of this puts the responsibility for reigning in the risks of AI squarely on the shoulders of CISOs. Security vendors are responding with aggressive tools for blocking exploits, automating responses and applying security controls at a granular level. But the key to mitigating vulnerabilities in the hyper-fast AgenticOps environment is to distribute automated detection and remediation across every stage of the software development life cycle (SDLC). It’s a new approach called flow defending.
A flow-defending model can restore balance
Many enterprises have reacted to the rising risk of software vulnerabilities by adopting a shift-left approach, moving security checks and testing closer to the beginning of the SDLC. Some organizations also emphasize implementing secure coding practices at the very beginning of the cycle, but as AI generates a greater share of code, the emphasis must be on catching flaws as the code is generated. In either instance, it puts too heavy a burden on developers, who typically receive
little or no cybersecurity training as part of their education.
A flow defending model would distribute automated vulnerability discovery, hardening and remediation throughout the SDLC to enable fast mitigation of security issues whenever and wherever they crop up. It would make use of integrated, workflow-embedded tooling, scanning, and hardened base components, along with guided remediation and runtime visibility.
For example, a flow defending model could employ thousands of pre-hardened and curated container images with near-zero CVEs to identify and remediate vulnerabilities.
The images, which can also support FIPS 140-3 compliance, are customized software profiles created through analysis of system calls, file access, network traffic and memory access, enabling steps such as the identification and removal of unused software and the remediation of vulnerabilities, significantly reducing the attack surface. And rather than slowing things down, the automated processes of a flow defending model will speed up the creation of secure software. Automation also has proved to be a worthwhile investment, typically achieving ROI in about 4.7 months.
The speed of cyber exploits combined with the latency in applying patches and the accelerated software production resulting from AI vibe coding and AgenticOps has created a losing scenario for enterprises. The threat to data and the financial risks are too great to continue working under old models of software cybersecurity. Enterprises need a new, flow defending approach that spreads vulnerability detection and remediation across the SDLC with efficient, hardened and automated processes.
That approach can close the exploit window and reduce risk exposure costs by aligning development, security and operations teams around shared time-to-fix metrics.