The Boring Stuff Is Dangerous Now

The Boring Stuff Is Dangerous Now

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskThreat IntelligenceVulnerabilities & ThreatsCommentaryThe Boring Stuff Is Dangerous NowAI agents capable of discovering and exploiting obscure vulnerabilities are emerging alongside developers producing vast amounts of potentially flawed AI-generated code, forcing defenders to adapt accordingly.Shlomie Liberow,Founder and CEO,aisyMay 18, 20264 Min ReadSource: Yuri Arcurs via Alamy Stock PhotoOPINIONAre you freaking out? It feels like the entire industry is losing its head over the collision of two huge security pressures. First, every development team has suddenly been mandated to use AI coding tools, resulting in thousands of new bugs and misconfigurations. This has coincided with the announcement that if Claude Mythos was unleashed, it would exploit every unknown vulnerability out there. It's enough to make everyone from triagers and chief information security officers (CISOs) want to give up.Let's consider how both scenarios play out and what it means for vulnerability discovery, vulnerability management, and actual risk reduction.When Claude Code Security was announced earlier this year, there was a lot of hype around it being the silver bullet for insecure code. Cybersecurity stocks dropped. Think pieces questioned if we'd all be out of a job. Enterprises were excited though by the massive improvements and possibilities offered by the models. In the past few weeks, mandates have swept through businesses, requiring all developers to use AI coding tools. Now, there's no denying these tools are good, and the code they create is high quality and secure in itself. But that's not where the security issues lie. It's in the implementation where the risk sits; a broken assumption about how an API validates input or the same misconfigured permission pattern, repeated everywhere because developers are working fast and the feedback loop between "code shipped" and "vulnerability found" constantly shrinks. You've got a situation where developers are shipping at incredible speed, and CISOs are just expected to manage the risk. The question becomes: how can we build more security into the development and implementation process without putting more pressure on developers? Related:Verizon DBIR: Healthcare Fends Off Increased Social Engineering AttacksEnter Anthropic's Project GlasswingPreviously, the implicit assumption in enterprise security was that obscurity offered partial protection. Attackers weren't wasting their time on onerous discoveries. It took days of tedious recon to map a target's third-party ecosystem, such as which regional software-as-a-service (SaaS) provider handles compliance, which internal tool has read access to production, or which open source library sits six levels deep in the dependency tree. That friction acted like accidental insurance. Anthropic's Project Glasswing removes that barrier.Models like Mythos don't need creative genius, they just need reach. They have it, and that changes what counts as an attractive target. An agent can follow a trust graph systematically without fatigue and without distraction; the boring path through a forgotten vendor becomes highly exploitable, especially because nobody's watching it. Attackers don't need a zero-day when an agent can map your third-party ecosystem, identify which provider runs a known-vulnerable framework version, resolve the trust path to production, and chain it together. Related:Content Delivery Exploit Opens Websites to Brand HijackingSo, we have this perfect storm of an explosion of new and poorly implemented code, with agents that can find the most obscure vulnerabilities and chain them together to deliver maximum impact. What does this mean for organizations? Until now, they've been focused on locking down their most critical applications while legacy integrations and vendor tooling keep broad access quietly in the background. This is longer tenable. You have a situation where security teams are going to be more overwhelmed by vulnerability reports than ever. They essentially have the same problem — how do we know what to prioritize — just multiplied by a hundred. You can't go to engineering teams with every reported vulnerability. You lose credibility if everything is urgent, especially when they don't have time and patience to fix everything either. My advice to organizations is to start with focusing on what you're most worried about. A critical vulnerability in a system that doesn't hold any PII or provide privileged access isn't as important as a combination of low-level vulnerabilities that result in actual high business impact. What do you need to protect against? Then go looking for everything that threatens it. If you start identifying common recurring themes, this intelligence can then be fed back into those AI coding tools so developers can be prompted at the moment of implementation that a common issue arises at this point and then mitigate for it. Overall, this reduces friction between security and engineering teams.Related:How CISOs Should Prep for Agentic-Ready AI BOMsThere are three things to consider when working out where your risk lies: Track transitive dependencies, data flows, permissions and the common patterns there. If you cannot answer "Why does this keep happening?" quickly, you have a context gap.Prioritize patching the root causes based on the trust-path risk rather than asset prestige. The internal service nobody cares about can be higher risk than a flagship app if it sits on a more privileged path.Double down on remediating patterns of vulnerabilities. Over time, the focus should be enough pattern standardization that the AI tooling used to build learns from each mistake.This will help target the real risk and avoid overwhelming engineering at exactly the moment security teams need their trust.Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!Read more about:OpinionAbout the AuthorShlomie LiberowFounder and CEO, aisyShlomie is the founder and CEO of aisy. He spent nearly a decade as a hacker and head of Hacker R&D at HackerOne, working alongside Zoom, Salesforce, Capital One, and the Pentagon to find and triage thousands of vulnerabilities, making judgment calls on over $20 million in verified findings. Prior to this, Shlomie protected some of the world's most high-profile personalities from cyber threats, anticipating risks before they materialized and taking proactive measures to secure against them.See more from Shlomie LiberowWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity