Bridging the Gap: A Study of AI-based Vulnerability Management between Industry and Academia

TL;DR

This paper investigates the gap between academic AI-based vulnerability management research and industry adoption, identifying key barriers and proposing future directions to enhance collaboration and practical usability.

Contribution

It provides an empirical analysis of industry challenges and barriers to adopting AI models, and suggests strategies to bridge the gap between research and practice.

Findings

Industry concerns include scalability, customization, and financial impact.

Research faces challenges due to lack of real-world data and expertise.

Proposes future directions for better collaboration between academia and industry.

Abstract

Recent research advances in Artificial Intelligence (AI) have yielded promising results for automated software vulnerability management. AI-based models are reported to greatly outperform traditional static analysis tools, indicating a substantial workload relief for security engineers. However, the industry remains very cautious and selective about integrating AI-based techniques into their security vulnerability management workflow. To understand the reasons, we conducted a discussion-based study, anchored in the authors' extensive industrial experience and keen observations, to uncover the gap between research and practice in this field. We empirically identified three main barriers preventing the industry from adopting academic models, namely, complicated requirements of scalability and prioritization, limited customization flexibility, and unclear financial implications. Meanwhile, research works are significantly impacted by the lack of extensive real-world security data and expertise. We proposed a set of future directions to help better understand industry expectations, improve the practical usability of AI-based security vulnerability research, and drive a synergistic relationship between industry and academia.