S2 E1: One Dependency Away: Supply Chain Security in the Age of AI

Is your Kubernetes security one dependency away from a total disaster? Dive deep into supply chain security risks, the rise of dangerous AI agents, and the urgent need for a zero-trust approach in the age of GenAI.

William Morgan chats with Mike Lieberman, co-founder of Kusari, to dissect the critical challenges facing modern software development, starting with securing open source in cloud native environments. Lieberman points out that up to 70% of code comes from open source, making robust defense of ingested software critical. They also chat about how to simplify the acronym jungle of supply chain security by framing it as SDLC security, focusing on observability tools like SBOM and attestations for code verification and tracking.

The biggest threat introduced by GenAI is non-deterministic agentic software running in production. Lieberman explains how AI agents can scale attacks, such as automating malicious pull requests on open source projects, making zero trust cybersecurity the only viable defense. He introduces tools like GUAC (Graph for Understanding Artifact Composition) for supply chain observability and predicts that the future of security will be managed by focused agents mirroring organizational structure.

Read the blog post: www.buoyant.io/ai-kubernetes-episode/supply-chain-security-in-the-age-of-ai

TAKEAWAYS

✓ Supply Chain Security is essential for Kubernetes Security, focusing first on understanding and minimizing the attack surface of ingested open source software.

✓ The primary risk from GenAI is non-deterministic agentic software, which can lead to unpredictable and destructive actions like database deletion if given too much latitude.

✓ Implement a zero trust cybersecurity methodology to limit access for both human and AI actors, ensuring only approved entities can merge code or access build secrets.

✓ Tools like SBOMs simplify component communication, while GUAC provides crucial observability for visualizing the software supply chain and tracking dependencies for license and vulnerability risks.

Don't let your infrastructure be one dependency away from compromise! Like this video, subscribe to the AI Kubernetes Show for more insights, and hit the notification bell.

What are the zero-trust practices you've implemented to secure your cloud native supply chain against AI agents? Let us know in the comments below!

#Cybersecurity #SoftwareSecurity #SupplyChainSecurity #KubernetesSecurity #AIAgents #ZeroTrust #CloudNative #OpenSource #CNCF #GUAC

Видео S2 E1: One Dependency Away: Supply Chain Security in the Age of AI канала Buoyant