Check out Tenable’s report detailing challenges and best practices for cloud and AI security. Plus, CISA rolled out a roadmap for the CVE Program, while NIST updated its guidelines for secure software patches. And get the latest on TLS/SSL security and AI attack disclosures!

Here are five things you need to know for the week ending September 12.

1 - Tenable report: Security trails AI and cloud adoption

Use artificial intelligence and cloud now, worry about security later. 

That seems to be the motto of the majority of organizations today – a risky attitude that puts them in a precarious position to manage their cyber risk.

This is the dangerous scenario that emerges from the new Tenable report “The State of Cloud and AI Security 2025.” 

“Most organizations already operate in hybrid and multi-cloud environments, and over half are using AI for business-critical workloads,” reads the global study, commissioned by Tenable and developed in collaboration with the Cloud Security Alliance.

“While infrastructure and innovation have evolved rapidly, security strategy has not kept pace,” it adds.
 

Based on a survey of 1,025 IT and security professionals, the report found 82% of respondents have hybrid – on-prem and cloud – environments. Furthermore, 63% use two or more cloud providers.

Meanwhile, organizations are jumping into the AI pond with two feet: 55% are using AI and 34% are testing it. Among those using AI, about a third have suffered an AI-related breach already. 

“The report confirms what we’re seeing every day in the field. AI workloads are reshaping cloud environments, introducing new risks that traditional tools weren’t built to handle," Liat Hayun, VP of Product and Research at Tenable, said in a statement this week.

Key obstacles to effectively secure AI systems and cloud environments include: 

• Rudimentary identity and access management protection methods
• Unfocused and misguided AI security efforts
• A skills gap
• Reactive security strategies
• Insufficient budgets and leadership support

So what’s the fix? Shift from a reactive to a proactive approach to stay ahead of evolving threats. Ways to accomplish that include:

• Adopting integrated visibility and controls, and embracing consistent policy enforcement across on-prem, cloud and AI workloads
• Enhancing identity governance for all human and non-human identities that need access
• Ensuring that executives understand what it takes to secure your company’s AI and cloud infrastructure

To get more details, check out:

• The announcement “Tenable Research Shows Organizations Struggling to Keep Pace with Cloud Security Challenges”
• The blog “New Tenable Report: How Complexity and Weak AI Security Put Cloud Environments at Risk”
• The full report “The State of Cloud and AI Security 2025”

For more information about cloud security and AI security, check out these Tenable resources:

• “Introducing Tenable AI Exposure: Stop Guessing, Start Securing Your AI Attack Surface” (blog)
• “AI Is Your New Attack Surface” (on-demand webinar)
• “Complete Cloud Lifecycle Visibility” (solution overview)
• “Breaking Down Silos: Why You Need an Ecosystem View of Cloud Risk” (blog)
• “Tenable Named a Major Player in IDC MarketScape: Worldwide CNAPP 2025 Vendor Assessment” (analyst research)

2 - CISA unveils plans for improving CVE Program 

The Common Vulnerabilities and Exposures (CVE) Program, whose funding briefly fell into question earlier this year before getting a one-year extension, will not only continue to exist beyond 2026 but will be enhanced and strengthened.

That’s the pledge the U.S. Cybersecurity and Infrastructure Security Agency (CISA) made this week with the release of a two-page vision paper titled “CVE Quality for a Cyber Secure Future.” 

The roadmap envisions the CVE program’s progression from its current “growth era” to a new “quality era” focused on boosting its trust, responsiveness and vulnerability data quality.

“With this strategic vision, CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense,” Nick Andersen, CISA’s Executive Assistant Director for Cybersecurity, said in a statement.

“In collaboration with the global cybersecurity community, CISA is committed to delivering a well-governed, trusted, and responsive CVE Program aimed to enhance the quality of vulnerability data and global cybersecurity resilience,” he added.
 

Key takeaways from CISA’s plan include:

• Not privatizing the program, so that it continues to serve the public good and stays transparent, stable and vendor-neutral, while CVE data remains publicly available
• Growing its partner roster with more international organizations; vulnerability tool vendors; data consumers; researchers; operational technology (OT) representatives; and open source community members.
• Revamping the program’s IT infrastructure to increase automation, expand API support for data consumers and enhance CVE.org
• Securing ongoing investment from CISA for the program’s infrastructure and core services, while seeking alternative funding sources
• Improving CVE record quality by adopting new minimum standards, expanding vulnerability enrichment and exploring the use of automation, machine learning and AI

“Tenable welcomes CISA’s commitment to improving the CVE Program through automation, an expanded scope, and a dedication to engage with international partners,” Tenable Chief Security Officer and Head of Research Robert Huber wrote in a LinkedIn post.

The new guidelines are a needed evolution for how vulnerabilities are managed and communicated, with the aim to provide data that’s more timely and comprehensive, according to Huber.

“Better visibility into the threat landscape is always a positive step, and these enhancements should help organizations grappling with an ever-growing volume of exposures,” he wrote, adding that Tenable looks forward to seeing the practical impact of these changes.

To get more information about the CVE program:

• “The Mandate, Mission, and Momentum to lead the CVE Program into the Future belongs to CISA” (CISA)
• “MITRE CVE Program Funding Extended For One Year” (Tenable)
• “Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal” (Tenable)
• “From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25” (Tenable)

3 - NIST updates guidance for secure software updates and patches

When a software maker issues an errant software update or a poorly-crafted vulnerability patch, the impact on the recipients can be severely disruptive.

To help with this issue, the U.S. National Institute of Standards and Technology (NIST) has revised its recommendations for issuing software updates and patches securely.

The new guidance is contained in the 5.2.0 revision of NIST Special Publication (SP) 800-53, which is titled “Security and Privacy Controls for Information Systems and Organizations.”

“The changes are intended to emphasize secure software development practices, and to help organizations understand their role in ensuring the security of the software on their systems,” NIST computer scientist and project leader Victoria Pillitteri said in a statement.
 

^{(Image generated by Tenable using Google Gemini)}

The new and enhanced controls address software development and deployment areas, such as software and system resiliency; testing, deployment and management of updates; and software integrity and validation. 

Specifically, these new controls have been added to the document:

• Logging Syntax, which establishes a consistent electronic format, making it easier to automate the data analysis and helping teams respond to incidents quickly and effectively.
• Root Cause Analysis, which addresses the “detective work” of zeroing in on the precise reason a software update failed before drafting and implementing a remediation plan.
• Design for Cyber Resiliency, which recommends designing robust systems that can anticipate threats, withstand attacks, respond effectively, and recover quickly – all while keeping the most important services up and running.

To get more details, read:

• The announcement “NIST Revises Security and Privacy Control Catalog to Improve Software Update and Patch Releases”
• The updated “Security and Privacy Controls for Information Systems and Organizations” publication
• The summary of changes

4 - CIS sheds light on TLS and SSL security issues

Attention must be paid to the implementations of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

That’s the conclusion reached by the Center for Internet Security’s CIS Red Team and Cyber Threat Intelligence (CTI) Team after scanning the networks of state and local government agencies during the first half of 2025.

These external scans, requested by these government agencies as members of the Multi-State Information Sharing and Analysis Center (MS-ISAC), found many critical vulnerabilities and misconfigurations.
 

^{(Image generated by Tenable using Google Gemini)}

Many of these security issues were due to cryptographic failures, the most critical of which were related to TLS and SSL implementations.

“These weaknesses undermine encrypted communications and leave systems exposed to potential exploitation,” reads the CIS blog “Top External Network Risks And How to Fix Them.”

The most prevalent TLS/SSL-related problems include the use of:

• End-of-life TLS/SSL versions, such as TLS 1.0 and 1.1
• Weak encryption ciphers, such as RC4, DES, 3DES, and ARC4
• Inadequate key exchange mechanisms, which can expose data in transit to decryption by attackers
• Misconfigured SSL certificates, including those that are expired, self-signed or have domain mismatches

In addition, CIS detected high-profile legacy vulnerabilities which attackers can exploit when legacy protocols are enabled.

Recommendations include:

• Disable outdated TLS versions in favor of TLS 1.2 or higher.
• Make sure that TLS/SSL server configurations enforce strong ciphers and key exchange mechanisms.
• Ensure all SSL certificates are valid and securely configured.
• Conduct comprehensive vulnerability scanning.

For more information about TLS/SSL security:

• “SSL/TLS certificate lifespans reduced to 47 days by 2029” (BleepingComputer)
• “96% Worry Shorter SSL/TLS Certificate Lifespans Will Impact Business” (Security Magazine)
• “Attackers abused a bug within SSL.com to authorize fake certificates” (CSO)

5 - NCSC looks at adapting cybersecurity tactics to protect AI systems

Could the practice of vulnerability disclosure be adapted to help secure AI models?

The U.K. National Cyber Security Centre (NCSC) is pondering that question, as it mulls how helpful it would be to methodically codify attackers’ bypasses of AI safeguards similarly to how conventional software vulnerabilities are disclosed, tracked and managed.

“Key areas of transfer include secure development lifecycles to minimise built-in weaknesses, and effective triage and remediation planning,” reads an NCSC blog post. “We think applying these foundations will probably help mitigate AI safeguard bypasses as much as they do standard software vulnerabilities.”

The idea is to move AI security from a discipline anchored primarily in research to an operational security practice. One step in this direction, the NCSC says, would be to encourage the security community to discover AI security bypasses via bug bounty programs, effectively crowdsourcing the security testing of AI systems. 

A key for success would be to ensure responsible disclosure of the findings. The NCSC lists core features of a strong disclosure program, including a clearly defined scope; a well-timed launch and duration; and easy-to-track reports.

For more information about AI security:

• “OWASP AI Security and Privacy Guide” (OWASP)
• “NIST AI Risk Management Framework (AI RMF)” (NIST)
• “LLM and Gen AI Data Security Best Practices” (OWASP)
• “Deploying AI systems securely” (Australian Cyber Security Centre)
• “AI Data Security” (CISA and others)
• “Expert Advice for Boosting AI Security” (Tenable)