Deep Dive
AI accelerates vulnerability discovery but slows down fixes: Monash University's security dilemma and breakthrough
The head of applied security at Monash University pointed out that while AI accelerates vulnerability discovery, the repair speed lags, supply chain attacks surge, and developers are facing the risk of "cognitive offloading."
When AI Accelerates Vulnerability Discovery, Fixes Are Still Stuck in "Yesterday's Thinking"
Application security teams are facing an increasingly acute contradiction: AI tools have driven vulnerability discovery to historic highs, but remediation efficiency has not kept pace. Luke Bampton, Head of Application Security at Monash University, said in a recent interview: "We've never found vulnerabilities so fast, but the lag in fixing them remains." This observation reveals a deep structural problem in application security in the AI era.
Monash University now has over 98,000 students and 20,000 employees, managing 500,000 IP addresses. As a global higher education and research institution, it supports more than 40 development teams, ranging from senior engineers to undergraduate students. Bampton's strategy is not to enforce a unified toolset, but to ensure consistent security outcomes. However, the rapid penetration of AI is disrupting the original balance.
Bampton pointed out that current working methods are still stuck in the "pre-AI era" and are not designed for "having to fix production issues yesterday." AI has fully emerged as a "force multiplier" for digital products, but security is still catching up. He specifically mentioned recent developments like Anthropic's Mythos, showing generative AI is moving deeper into application security upstream. In his view, trustworthy AI-driven remediation will be the next step, but "for now, we are in a phase where AI accelerates delivery, and security lags behind."
Supply Chain Threats and the Risk of "Cognitive Offloading"
Beyond the discovery-to-fix time gap, Bampton highlighted two new risk dimensions: software supply chain attacks and developers' "cognitive offloading."
"Supply chain attacks have exploded, and developer credentials are under significant threat," he warned. In the AI era, vulnerability scanning mechanisms that rely on third-party libraries remain indispensable. However, a more insidious crisis lies in the potential degradation of developers' own security skills when they over-rely on AI code generation tools. This "cognitive offloading" effect has been confirmed in multiple studies, and Bampton lists it as a priority for education.
To address this, Monash University has made education a core dimension of its security strategy. Bampton believes security personnel need to proactively establish communication channels with developers. "If you don't know who I am or think I'm unapproachable, I can't really help you," he said. He frames solving security problems as a "marketing and awareness challenge" rather than a purely technical one.
Supercomputers Arrive: A New AI Battleground for Security Teams
With Monash University deploying the MAVERIC AI supercomputer and a batch of dedicated AI development machines, the focus of security teams is also shifting toward AI and non-deterministic ways of working. Bampton said that as an application security practitioner, he is increasingly concerned with guiding developers to use this technology responsibly.“What we ultimately want is secure code, code that functions properly, and robust solutions that can scale.” He noted that although the technology stack is changing, the fundamental principles of application security—interpersonal communication and collaboration—remain valid. In a world increasingly automated by AI tools, trust and connection between people are becoming the most critical “security patch.”
Long-term Trend: AI Security Requires New Organizational Logic
The case of Monash is not an isolated one. From a global perspective, the application of AI in security is evolving from “assisted discovery” to “autonomous remediation,” but organizational processes and cultures often lag behind. Enterprises need to reexamine the vulnerability management lifecycle: when AI can identify a vulnerability in minutes, the remediation process should no longer operate on a weekly or monthly basis.
A deeper challenge is that AI itself can become an attack surface. As developers rely on AI-generated code, the “shadow dependencies” in the supply chain grow exponentially. Security teams must develop new capabilities to audit AI-generated code while avoiding an avalanche of technical debt.
Bampton is optimistic about the future, but he emphasizes that foundational work must not be neglected. Amid the AI wave, Monash University is attempting to provide a model for security governance in higher education through a combination of “interpersonal connection + continuous education + controlled computing.” This exploration may hint at the general evolution direction of application security in the post-AI era: the more automated the technology, the more critical the human role becomes.
Source boundary · thedailytech
thedailytech frames this note through Tech News / AI & Innovation / Big Tech. Source links should be opened before the summary is reused: dates, names and status changes still need checking. Tech News / AI & Innovation / Big Tech explains the local editorial angle.