Amid the AI Revolution, Cybersecurity Firm Wiz Warns of Expanding Attack Surface and Need for ‘Vibe Security’
In the realm of cybersecurity, Ami Luttwak, chief technologist at Wiz, emphasizes that it’s a mental battle. With the rapid integration of AI into enterprise workflows through various means, the attack surface expands. While AI accelerates code development, it often introduces shortcuts and errors, creating potential vulnerabilities for attackers.
Recent tests conducted by Wiz revealed a common issue in vibe coded applications: insecure authentication implementation. Luttwak explained that this occurred because it was simpler to build the applications without focusing on security. He cautioned that companies face a constant tradeoff between speed and security, with attackers now leveraging vibe coding, prompt-based techniques, and even their own AI agents to launch attacks.
Attackers are also exploiting new AI tools introduced by companies for efficiency improvements, potentially leading to “supply chain attacks.” For instance, last month, Drift – a startup offering AI chatbots for sales and marketing – was breached, exposing Salesforce data of numerous enterprise clients like Cloudflare, Palo Alto Networks, and Google. The attackers gained access to tokens and used them to impersonate the chatbot, query Salesforce data, and move laterally within customer environments.
Luttwak noted that while AI adoption by enterprises is still minimal, Wiz already encounters weekly attacks affecting thousands of enterprise customers, with AI embedded at every step. He highlighted another significant supply chain attack on Nx, a popular JavaScript build system, in August, where malware was introduced and detected AI developer tools like Claude and Gemini to autonomously scan the system for valuable data.
Despite these threats, Luttwak finds this an exciting time for cybersecurity leaders. Wiz, founded in 2020, initially focused on helping organizations address misconfigurations, vulnerabilities, and other security risks across cloud environments. Over the past year, Wiz has expanded its capabilities to keep pace with the speed of AI-related attacks and to utilize AI for its own products.
In September 2021, Wiz launched Wiz Code, aimed at securing the software development lifecycle by identifying and mitigating security issues early in the development process. In April 2022, they introduced Wiz Defend, offering runtime protection through detection and response to active threats within cloud environments.
Luttwak stressed the importance of understanding a customer’s applications for Wiz to provide “horizontal security.” He explained that this understanding allows him to develop customized security tools tailored to each client’s specific needs.
When it comes to data handling, Luttwak advises startups not to indiscriminately hand over company, employee, and customer data to every small SaaS company promising AI insights. Instead, he emphasizes the need for these companies to prioritize security and compliance from their inception, hiring a CISO (chief information security officer) even if they have only five employees.
Before writing a single line of code, startups should think like highly secure organizations, considering enterprise security features, audit logs, authentication, access to production, development practices, security ownership, and single sign-on. This approach prevents the need for later process overhauls and potential “security debt.” For cybersecurity startups entering the field in the AI era, Luttwak sees opportunities across various areas such as phishing protection, email security, malware detection, endpoint protection, and workflow automation tools for “vibe security,” given that many security teams are still learning to defend against AI.
“The game is open,” Luttwak concluded. “If every area of security now has new attacks, then it means we have to rethink every part of security.”
