What a year 2024 has been - a brief summary

It was a very exciting year. Actually, it was a rough, difficult, extremely busy, but also a very exciting year. It's been a rush from the start. First, I needed to get my OSWP done before my OffSec subscription ran out by the end of Feb. Then, there were a couple of opportunities to speak at space-related security conferences in Europe (CySAT and Security for Space Systems at ESA), so I had to focus on that. In the meantime, I was cracking a whitepaper about hacking a space protocol, which was then followed by a presentation outline in preparation for DEFCON in August. I was then invited to give a talk at BSides Ahmedabad in October and also had the opportunity to give another one at BSides Munich in November. All that is in parallel with daily vulnerability research at work, which resulted in 11 new CVEs already published (and at least 10 more pending publications), and a couple of new research papers already published (and at least a couple more pending publications). In summary, I accomplished more in 2024 than in the last ten years before I transitioned to the Infosec field. The pace of this field is just incomparable. I feel like I'm on a rushing train, and when I look through the window I can see many other fields only disappearing in the distance. The only other discipline I see in a train rushing on a parallel track is still the AI. But I always knew that AI would make a good assistant.

When I stop for a moment and think of the Infosec field, it is a phenomenon. It's been rapidly growing for a few years, both in the number of professionals and the amount of money invested in the field. And yet, despite of the effort, it feels like we're less secure than ever. Just look at the number of vulnerabilities found in 2023 vs 2024. According to Statista in 2023 there was a new record of 29,000 new vulnerabilities and CVEs discovered. In 2024 this number was 52,000 in August already. Why aren't we more secure?

I attribute this to two things: a) more products are coming out than ever, many of them not having proper security testing in place, or neglecting security altogether. Especially in Europe, it looks like most major organizations got the security backward. Instead of treating it as an investment that will prevent them from becoming a headline of yet another security breach, they try to make money on it by selling security as another buzzword (even better if it has AI in it).

b) rise of AI in the world of software development. Let's be honest, AI can generate some code, but that code is of the worst quality, full of bugs and security issues. It somewhat works though, and unfortunately for many, that is enough. It's a pity really, because I was very much excited about the AI and how rapidly it grows. The direction in which it grows, however, is really disturbing. Although it was bad from the get-go, for a few years the only way people knew how to monetize AI efforts was by the advertisement. Now, it shifts more and more towards generating code for products that we use daily. Not only this will worsen the software development capabilities of an organization in the long term (because hey, that's just LLM coding baby - denial of attention attack), but it also affects us at a personal level by making us less secure with all those vulnerabilities. Sure, this means Infosec professionals will have more work. On the other hand though, looking at the current geopolitical situation in the world, stand-offs between nuclear powers and cyberspace becoming a playground for exercising adversarial capabilities by the nation states on other nation states, the future looks quite scary.

What can we do about it? Well, it's not really about what, because we all know what to do as it is common sense. The problem is the how. How do we convince the organizations to start treating security seriously, and not as a policy or requirement to put in place and forget about it, a module that they can just enable, or a nonsense product they try to sell and make money on? I think as hackers we should tackle it in the way we know best: find and disclose vulnerabilities, and then talk about it to anyone who will listen.

But I digress, let's make this one of the goals for 2025 and move on.

One major exciting accomplishment of 2024 is that the day before Christmas I managed to close a book deal with a publisher. The idea of writing a book is surreal, to begin with, but getting the deal done right before Christmas is both the best and the most bizarre gift ever. I think I'm still digesting it.

Although it's been a very successful year, the most exciting part of 2024, is the people I met and friends I made on three different continents.

So, what do I expect 2025 to bring? First of all, a tone of more vulnerability disclosures, especially since a fair number are already going through the responsible disclosure process. There are a couple of quite exciting projects (one of them being the book writing of course) that will kick off, and a few more trips already scheduled (one of them being the best hacker's summer camp - DEFCON), not to mention the new people I'm gonna meet on my journey through 2025, many of which I will certainly become friends with. Happy New Year!