LLMs and Vulnerability Discovery: A “red alert” for Adopting Zero Trust

My colleague Adam Shostack recently wrote an insightful blog post entitled “Vulnerability Finding: An Inflection Point”, about the impact that LLM-driven vulnerability discovery systems are having. I recommend you read the whole article, and want to highlight one paragraph in particular, where he states:

“Your job is starting to include the assumption that working exploits exist in each of your binaries, and to design engineering and deployment patterns that isolate those binaries and limit blast radius.”

Adam writes largely from a threat modeling perspective, and I want to look at this through my Zero Trust lens. Think about the assumption (or perhaps, “logical conclusion”) that each and every binary that we deploy – regardless of whether we build it ourselves or if it’s commercial software – has exploitable vulnerabilities that will be found in the near future. First up, this should scare us a little bit. And second, this should increase your urgency around enforcing the default deny, explicit allow access model demanded by Zero Trust.

If all the software we deploy has exploitable vulnerabilities, we *must* put ourselves into a position where we not only know what the expected network transaction flows are for this system, but we define and enforce access policies that utilize technical controls to enforce this. That is, we have a clear and accurate picture of expected application and system behavior, and that there’s no “daylight” between what we expect and what actually occurs. 

This needs to be enforced for all network based activities, for both inbound and outbound transaction flows. If your immediate reaction is that this is difficult or impossible to achieve in your organization, I urge you to challenge yourself and your broader teams. This level of governance and workload lifecycle rigor is necessary, and in fact should be thought of as a new level of “table stakes.”

I encourage you to shift your mindset here. Just like today you’d never deploy a remote access solution without some form of MFA, we need to hold our enterprises equally accountable to this new standard. We should never deploy a workload without an accurate, machine-readable record of expected inbound and outbound access patterns, and enforce this access from day 1 for all identities.

In my mind, this is a great example of how and why to apply Zero Trust principles to make our enterprises more resilient in the current threat landscape. Is this easy? No, this is hard work. But it’s necessary.

Finally, keep in mind that done properly, this is not going to impose a significant burden on your development or deployment teams. This information is already available within your organization; it’s a question of capturing it, putting it into an accessible repository, and automating the processes around this. 

Want to explore this further? Let’s talk.