Software Engineering Daily Podcast: Feross on AI, Open Source, and Supply Chain (socket.dev)

In a recent episode of the Software Engineering Daily podcast, Socket CEO Feross Aboukhadijeh discussed the growing risks of open-source software supply chain attacks and the implications of AI on security. Aboukhadijeh drew from historic incidents like the event-stream compromise to emphasize that software teams must regard open-source dependencies with the same scrutiny as their own code. He advocated for practices such as using lock files and carefully vetting new dependencies to mitigate potential threats, especially given the sophistication of modern attacks. The conversation also highlighted the intersection of AI technology and security vulnerabilities. As businesses rush to integrate AI under management pressure, they often overlook the security of sensitive systems, enabling attackers to exploit new vulnerabilities, such as those associated with auto-generated code from language models. Aboukhadijeh warned that malicious actors are already registering package names that AI might hallucinate, posing real risks to ongoing projects. This episode serves as a critical reminder for the AI/ML community to bolster security measures as the software supply chain evolves amidst rising AI adoption.