Big Thoughts, Open Sources: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source

In this inaugural episode of Big Thoughts and Open Sources, host Crob sits down with Brian Fox, Co-founder and CTO of Sonatype, to dissect the friction between rapid AI adoption and foundational software security. Brian shares insights from the 11th annual State of the Software Supply Chain Report, revealing the emergence of "slop squatting" and the high frequency of AI models recommending non-existent or vulnerable dependencies. The conversation explores how the Model Context Protocol (MCP) could revolutionize developer compliance and why the industry must fund the critical infrastructure supporting our trillion-dollar open source ecosystem.

Chapters:
00:23 Welcome: Big Thoughts, Open Sources inaugural episode.
01:01 Brian Fox's journey: Apache Maven, Sonatype, and OpenSSF.
02:53 The critical role of Maven Central in the software supply chain.
03:26 Decades of security trends: The persistent "Log4Shell" pattern.
05:34 The "Tribal Knowledge" problem for AI agents.
07:06 State of the Software Supply Chain Report: AI recommending made-up code versions.
08:09 Explaining "Slop Squatting" and AI hallucinations.
10:03 Model Context Protocol (MCP): Turning security tools into AI expert systems.
13:42 Do not ignore 60 years of software engineering "physics".
15:11 The "Vulcan Mind Meld": Injecting governance data into AI agents.
17:19 Risks, rewards, and the need for ML SecOps discipline.
19:30 "Inefficient code is still inefficient code": Lessons from cloud migrations.
21:01 Building an "AI-native SDLC" with upfront security.
24:18 The sustainability crisis: Secure open source builds are not free.
27:17 Conclusion: Funding open source infrastructure (8 trillion dollars of value).

Episode links:
Brian Fox LinkedIn page: linkedin.com/in/brianefox/
Sonatype website: sonatype.com
Maven Central Repository: central.sonatype.com/
The State of the Software Supply Chain Report: www.sonatype.com/sscr
Sonatype Blog: www.sonatype.com/blog
OpenSSF AI/ML Security Working Group: openssf.org/groups/ai-ml-security/
Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security: openssf.org/resources/visualizing-secure-mlops-mlsecops-a-practical-guide-for-building-robust-ai-ml-pipeline-security/
Get involved with the OpenSSF: openssf.org/getinvolved
Subscribe to the OpenSSF newsletter: openssf.org/newsletter
Follow the OpenSSF on LinkedIn: linkedin.com/company/openssf

You can read the full transcript of this podcast episode here: https://openssf.org/podcast/2026/04/06/whats-in-the-soss-podcast-58-s3e10-big-thoughts-open-sources-beyond-the-hype-brian-fox-on-securing-the-agentic-future-of-open-source/

Видео Big Thoughts, Open Sources: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source канала OpenSSF