Sonatype CTO Brian Fox discusses the intersection of AI and open source security with OpenSSF's CRob. Key topics include 'slop squatting' — where AI models consistently hallucinate package names that malicious actors then register with backdoors — and findings from Sonatype's 11th annual State of the Software Supply Chain Report showing AI models recommend made-up dependency versions 30% of the time. Fox argues that the Model Context Protocol (MCP) could solve developer compliance by injecting real-time security data directly into AI agents, replacing fragile IDE plugins. The conversation also covers the open source sustainability crisis: producing secure, attested builds is no longer free, yet the ecosystem generates $8 trillion in economic value while infrastructure costs go largely unfunded. Fox urges organizations to design AI-native SDLCs with security upfront rather than bolting it on afterward.
Sort: