Vulnerability Management & Aerospace Engineering
October 1, 2019
Professor Anderson, a legend in the Aerospace Engineering Department at the University of Maryland, was one of the best professors I ever had. He just loved Aerospace Engineering, and especially its history. At the end of each technical chapter in the textbook he wrote (and we used), there was a section on aerospace engineering history, and he’d test us on it. One lesson stuck. In the early days of flight, planes were designed to be “statically stable.” They were less maneuverable, very clunky, but building a statically-unstable airplane in the 1940s, for example, would render it virtually impossible to fly. Enter the invention of the computer, which enabled “fly by wire,” or the micro-control of the aircraft by on-board computers that can adjust thousands of times per second. This enabled the production of statically-unstable aircraft, and fighter planes like the F-35 that are hyper-maneuverable compared to earlier fighters. The point of this aerospace history lesson? Are the designers of the F-35 smarter than the designers of the 1940s that built the statically-stable P-51 Mustang? Of course not. The F-35 engineers simply had access to a pivotal technology the P-51 guys didn’t.
Although the world of aerospace engineering and vulnerability management may seem as far apart as the Wright Flyer and the Space Shuttle, we all might benefit from a closer look. Let’s compare legacy vulnerability products - built from the ground up nearly 2 decades ago - to Delve, founded just a few short years ago on the basis of exploiting advanced AI technology to address enterprise vulnerability management and remediation challenges. At the beginning of this century, computers and networks were really coming into their own, but technologies like machine learning were just beginning to emerge in the research labs of the world’s leading computer science universities; using AI in everyday products was projected, but not feasible. Using AI as a core element of your vulnerability management product was not an option when the legacy VM products were conceived, so it wasn’t possible to attempt to deliver functionality like contextual prioritization, for example; Delve couldn’t do it either if it were founded in 2001 or 2002.
But much like the designers of the F-35 and today’s advanced fighter jets, Delve’s founders not only had access to technology unavailable to legacy competitors at the time of their initial product development, but they also had expertise in those advanced technologies to supplement their pen testing pedigrees. This combination of a previously-unavailable tool-set and contemporary cyber security expertise - the threat landscape has also evolved considerably since the turn of the century - yielded a completely different perspective on vulnerability management, and vulnerability prioritization and remediation, in particular.
Which begs the same question: is the Delve technical team smarter than legacy vulnerability management product developers? Although my answer to that question at the Delve holiday party would undoubtedly be yes, we all know that’s probably not the case. Legacy VM products were conceived and built long before the advent of modern technology like AI was practically available; Delve’s technical team had much more sophisticated tools to work with, and they leveraged every one of them.
The statically-stable P-51 helped win the air war in Europe, and was an exceptional fighter for its time. Similarly, older vulnerability products - state-of-the-art in the early 2000s - were impressive first-generation tools that helped pave the way for modern solutions like Delve. That’s a legacy to be proud of.
But you can now find P-51s only in museums or at air shows.
F-35s are a different story.