Just Fix Everything

We’re hearing a lot of rumbling about Mythos and what it enables or forces us to do as an industry. One of those things is that we’re going to have to patch everything. And it seems like people are starting to move in the direction of saying that the solution to that is autopatching utilizing an LLM. For those not familiar, autopatching is when you let a computer apply the patch, and there are no humans in the loop. It theoretically allows you to fix every vulnerability. Every! Now there is a loaded statement, and one I have to take issue with.

‍

Let’s start by defining where vulnerabilities lie. Here is a small subset of the myriad of  possibilities:

• Firewall hardware
• VPN hardware
• Printers
• Thermostats
• IP Telephones
• 3rd party APIs
• Medical devices, like pacemakers
• Dam SCADA systems
• Mission-critical billing systems
• Stock exchanges
• Airplanes
• Self driving cars
• Elevators
• Etc.

‍

I can come up with thousands of horror stories associated with doing autopatching on any one of those things mentioned above if it’s not absolutely perfect. And not just perfect as in the patch is perfect, but actually manages to produce zero downtime. Because in the real world, downtime can cost millions or lead to people dying, being stranded, injured, etc. without a lot of thinking and pre-planning.

‍

I refer to this pushback that I am extolling and the fear of outages/issues as “back pressure”. We saw something similar happen when people started doing Penetration Testing. “You want to do WHAT to my machine?” Then SaaS DAST scanning. “You want all my vulns in the cloud?!” So the industry can get over things, and most of the concerns are both valid and also overhyped at the same time. That said, LLM outages are a very real thing that have already happened quite a few times.

‍

I do think auto-patching has a place in the world of software engineering where it fixes code on the fly, while giving you time to test and validate your code. Where I think it falls down due to the introduced risk is in production, and that is the very place where patching matters most. Production is where the adversaries are attacking, but taking it down is a non-starter.

‍

There have been tons of instances where this has gone wrong before. OS updates that brick machines, anti-virus that flags important system files, EDR that causes crashes. And that is all without AIs that hallucinate, that is - with human oversight. LLMs are a whole different ball game when they are let off the chain to run/patch a network autonomously.