Anthropic’s Project Glasswing talks about how AI exploits vulnerability
After Anthropic’s announcement of Project Glasswing, the “find and fix” approach to bugs and vulnerabilities will have to be rethought.
Project Glasswing is a multi-vendor initiative to strengthen cyber security, and came together after seeing how cutting-edge AI models could detect and exploit vulnerabilities faster than all but the most skilled could detect and fix, according to the announcement. Anthropic’s Claude Mythos Preview revealed that fact, and it has already found major vulnerabilities in all major operating systems and web browsers, the company said. The speed of risk remediation lags behind.
“Given the rate of progress in AI, it won’t be long before such capabilities are widespread, possibly beyond actors committed to safe use,” Anthropic wrote on its blog. “The fallout—economic, public safety, and national security—could be dire. Project Glasswing is an urgent effort to harness these capabilities to serve defensive purposes.”
Jeff Williams, founder of OWASP and co-founder and CTO of Contrast Security, said, “Mythos makes the first domino clear: when the frontier of AI is able to hunt bugs on a large scale, the idea of paying people for routine detection starts to collapse. This not only threatens the benefits of buggers. It threatens the idea of safety and security behind the research. It comes to an acceptable conclusion.”
A preview is available for launch partners to work on defense strategies, who will share their knowledge with the industry. Partners include Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
Williams believes the future belongs to software companies that can reliably produce secure code and the verification case to prove it. This is important, because he thinks that “it is highly doubtful that Anthropic will be able to limit the malicious use of this model. Anthropic has also produced impressive results, but most of the data is still self-reported and can be partially verified externally.”
Snehal Antani, CEO of pen testing company Horizon3, sees this play out in the real world. Horizon3 has conducted 225,000+ fully independent tests, revealing vulnerabilities that many organizations don’t even know exist. “CISOs should focus on what’s truly exploitable, high-impact and actively used by attackers, — not just how high the volume is,” Antani said. “As AI accelerates vulnerability and KEV exploit times decrease, organizations are struggling to detect, fix and validate issues quickly enough.”
Antani said the real problem is to amend the scale. “With many KEVs still unpublished weeks after exposure, the industry must develop mitigation, compensatory controls, and detection to close the growing exposure window.”
Contribute to the Apache Software Foundation
Anthropic said it is making a $1.5 million donation to help ASF work to ensure the robustness and integrity of AI systems.
“AI is accelerating rapidly, but it’s built on decades of open source infrastructure that must remain stable, secure, and independent,” said Vitaly Gudanets, Chief Information Security Officer, Anthropic. “Supporting the Apache Software Foundation is a direct investment in the robustness and reliability of the systems that modern AI — and the broader software ecosystem — depend on.”
ASF projects help the open source community to flourish, without the need to purchase and use commercial proprietary software.
“Open source software is the basis of modern digital life – especially in ways that the average person is completely unaware of – and ASF projects are an important part of that. When it works, no one notices, and that’s exactly the goal,” said Ruth Suehle, the foundation’s president. “But that kind of reliability is not a given. It’s the result of continued investment in neutral, community-managed infrastructure by each part of the ecosystem. Support like Anthropic helps ensure the long-term viability, independence, and security of the systems that keep the world running.”
Anthropic’s donation will help fund ASF’s ongoing investment in infrastructure, including building systems, security procedures, project services, and community support – ensuring that Apache projects can continue to serve as the backbone of the global software ecosystem, the foundation wrote in its announcement.
Learn more about how to support ASF at https://apache.org/
