UPDATED 19:48 EST / APRIL 25 2023

SECURITY

Will AI help or hurt enterprise software security at large?

Artificial intelligence has generated a lot of buzz around securing enterprise software and operations.

However, a lingering inability to follow best practices and nail the fundamentals still plagues the industry at large, according to Brian Fox (pictured), chief technology officer of Sonatype Inc.

“We have done some studies for years, and I think last year was our eighth year in a row,” he said. “The thing that I’ve been rattling on about since then is that around 96% of the time when organizations are pulling down vulnerable components, there’s already a fix available, which tells me that the problem is on the consumption side. There are a lot of conversations about all the novel edge cases when, as an industry, we’re failing to follow best practices and deal with the fundamentals.”

Fox spoke with theCUBE industry analyst John Furrier at the RSA Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how companies should prioritize their security operations, especially given the complexities AI brings. (* Disclosure below.)

The role of AI in software development: Risks and benefits

People are already employing AI tools, such as ChatGPT, to write code, some of which are mission-critical. It’s important, therefore, to assess the potential implications of that and other AI-related trends filtering through, according to Fox.

“I don’t think the AI aspect of this really affects the dependencies yet,” he said. “When people are choosing to put bad components in [the software stack], it has less to do with the new custom code that they’re creating and more to do with the hygiene of their dependency stack.”

The main security issue is that organizations are still falling victim to vulnerabilities that have already been identified and logged, according to Fox. So, there’s a need to tighten the software supply chain.

“As of last week, 29% of the consumption worldwide of Log4j versions are of the known vulnerable versions,” he said. “Everybody in the industry knows that it was an issue. We’re closing in on 18 months at this point. How is it that a third of organizations are still pulling down these known vulnerabilities 18 months later?”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference:

(* Disclosure: Sonatype Inc. sponsored this segment of theCUBE. Neither Sonatype nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU