“Being able to fundamentally trace the full lineage of AI is step one at Lineaje.”

“You can convert a developer to become a security expert, but you can't make a security person a good developer.”​

“More of us need to take a larger view of the overall problem and to get involved where we can, so that we can all be accountable for our different pieces of the software.”

“An SBOM by itself will not protect you, but everything we need to implement in our software processes starts with that level of transparency.Keep things community built. One thing that I really love about the SBOM world is that we have a lot of competitors working together, because we are only going to get demand for transparency if there is a broader reason for why it is needed.”

“Managing developers without directly overseeing them is challenging. At Checkmarx, we're proactively scanning platforms like Hugging Face to identify potential threats in code, its origins, and the people involved. It's tough, but being proactive is essential.”

“Last year, I started the OWASP Top 10 for large language models and included supply chain risk because it seemed obvious. As I wrote my book on large language model security, the supply chain chapter became the longest due to its complexity. While I encourage experimentation with AI technologies, it's crucial to be aware of the risks. Platforms like Hugging Face have had multiple breaches and security issues, with hundreds of poisoned models, making this area quite dangerous.”

“When discussing open source, it’s crucial to understand your components and drive visibility. This means clearly identifying what we know about reusability, the extent of our open source usage, and the percentage of our software built with open source components. Additionally, we need to be aware of any political components within these, and whether we’re using vulnerable portions. Achieving this visibility helps drive the conversation and reduce complexity.”

“I believe security practitioners have been addressing the wrong issues. Relying on developers to improve security is a failure since their primary focus is on delivering products, not on security. The API space is particularly challenging due to its vast dependencies and external services. By 2030, it's predicted that all internet traffic will pass through APIs, making effective API security crucial.”

“I realized that understanding software bills of material (SBOM) was lacking because initial discussions only involved end users and software providers. I saw that the developer tools and related ecosystem were missing, so I gathered 30 companies from various areas like developer tools, repositories, and vulnerability management to build a comprehensive standard.”

“There is no magic at Chainguard there's a lot of hard work done exceptionally well. What that means is, rather than building your dependencies a year ago, we build them daily, sometimes several times a day.”

“That’s a big question regarding regulations and requirements. When you look across industries and verticals, the impact is tremendous. In med tech, specifically, I see it as the frontrunner in this race. It’s about who can achieve compliance and get the regulations out there quickly to meet cybersecurity requirements. From an FDA perspective, most people know that the FDA pushes hard on the software bill of materials (SBOM). Last year, they gained legislative authority and rewrote the FD&C Act, a document over 100 years old, to include requirements for SBOM. This transparency through SBOM is something the FDA is very keen on, and other industries are starting to see its importance as well.”