Businesses turn to humans to combat AI threats

A new survey from HackerOne shows 67 percent of respondents believe an external, unbiased review of GenAI is the most effective way to uncover AI safety and security issues as AI red teaming gathers momentum.

Nearly 10 percent of security researchers now specialize in AI technology as 48 percent of security leaders consider AI to be one of the greatest risks to their organizations, according to the report -- based on data from 500 global security leaders, and more than 2,000 hackers on the HackerOne platform.

More than two-thirds (68 percent) of security professionals say an external and unbiased review of AI implementations is the most effective way to mitigate AI safety and security risks overall. There has been a 171 percent increase in AI assets in scope on the HackerOne platform, with 55 percent of all AI vulnerabilities reported being AI safety issues.

"Even the most sophisticated automation can't match the ingenuity of human intelligence," says Chris Evans, HackerOne CISO and chief hacking officer. "The 2024 Hacker-Powered Security Report proves how essential human expertise is in addressing the unique challenges posed by AI and other emerging technologies. The report also provides guidance on building productive relationships between organizations and security researchers so the most novel and elusive vulnerabilities can be effectively found and fixed."

Among other findings, cross-site scripting (XSS) and misconfigurations remain the top most-reported weaknesses. Pentests and bug bounties also continue to be the top engagements identifying these issues. Pentests uncover more systemic or architectural vulnerabilities like misconfigurations. For bug bounty, security researchers focus on real-world attack vectors, user-level issues, and business logic flaws, with XSS as the most commonly discovered weakness.

Security-mature and tech-focused industries like online services, retail, and e-commerce are actively reducing common vulnerabilities as opposed to more traditional industries. Web3 companies also have 65 percent fewer reports for XSS than the industry average.

You can get the 2024 Hacker-Powered Security Report on the HackerOne site.

Image credit: Elnur_/depositphotos.com

