SAN FRANCISCO - While supply chain risks remain prevalent across enterprises of all sizes, Synopsys' Tim Mackey said AI tools will enable developers more than attackers - at least for now.
Supply chain security was a significant topic that speakers and vendors addressed during RSA Conference 2024 earlier this month.
The secure-by-design concept, which pushes for security first when developing software, was highlighted throughout the conference, particularly for AI projects.
Many speakers and cybersecurity vendors touted the benefits of AI for security, including in software development.
TechTarget Editorial spoke with Tim Mackey, head of software supply chain risk strategy at Synopsys, about his primary concerns with open source software, how supply chain risks can be addressed and what role AI could play moving forward.
If it's sample-ish code, well, I don't know what it is, so I may cut and paste it indirectly.
Where AI is showing itself to be advantageous is helping developers do more.
The more we can use AI on the good side for security, quality and stability purposes, the better the chance that we're going to have at the attackers being defeated.
AI doesn't know all the context, so the human still needs to do all the work, but as far as the 'code is code' part, that's where AI can really help out.
Mackey: If you look at the supply chain, the people who are creating the foundational components don't know what the end product is, so they're testing something to their quality.
All of these artifacts are attached to the software to document proof that the right testing was done.
Risk management in the supply chain is all about measuring the decisions that were made somewhere else in the chain.
There have been recent supply chain attacks on GitHub.
Mackey: The problem with GitHub or any of the software repositories is at some point someone's going to have to take that code.
It's about functionality, and that puts the onus on the consumer of the software to do the right thing.
It's the not-fun part for developers, and developers want to have fun.
Mackey: Something I've been saying for years: You need to know all the software you have.
The thing is that different teams view what software is differently.
The people who own servers don't realize there's a pile of firmware inside the server, therefore an owner of software, and a bunch of software at that.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
This Cyber News was published on www.techtarget.com. Publication date: Tue, 28 May 2024 19:13:05 +0000