Navigating AI risks in software development: The impact on security and your supply chain

Watch this video to learn how supply chain security is evolving with AI and discover Minder, a new open source project.

Craig McLuckie, co-founder and CEO of Staklok, sat down with the All Things Open team to share his expertise on the evolving role of AI in developer workflows and security. With his deep background in Kubernetes and open source communities, Craig discusses how generative AI models are changing development practices. He highlights the shift from traditional code searching to AI-driven code generation, which his boosting productivity, but also introducing new security challenges, as malicious actors can potentially exploit AI to inject harmful code into environments.

“Generative AI is fundamentally changing the way developers work, but it’s also introducing new challenges—hackers are now able to use AI to produce and deploy malicious code, which requires a complete rethinking of how we approach security.” — Craig McLuckie

Craig also dives into the limitations of relying solely on CVEs (Common Vulnerability Exposures) for security. As AI-powered tools become more prevalent, hackers are using these same models to create and deploy malicious code, which demands a new approach to securing the software supply chain. He stresses the need for organizations to go beyond CVEs and adopt a broader, more proactive strategy to mitigate evolving threats.

Automate and streamline security policy enforcement with Minder

Additionally, Craig introduces Minder, an open source tool developed by Staklok, designed to help organizations manage security policies across their software development lifecycle (SDLC). By using Minder, teams can automate security best practices and create reconciliation loops to reduce vulnerabilities, making it easier to maintain secure codebases.

Key takeaways

• AI is reshaping developer workflows by providing code suggestions, but it also creates new security risks that require proactive management.
• Security strategies must go beyond CVEs, addressing the risks of AI-generated code and securing the entire software supply chain.
• Minder is a powerful open source tool for automating security policy enforcement across the SDLC and enhancing supply chain security.

Conclusion

Craig’s insights underscore the dynamic intersection of AI and security, urging developers to adapt to rapid changes. His call to action is clear: The open source community is a powerful resource. By exploring tools like Minder and connecting with peers, developers can better secure their environments and continue to innovate.

More from We Love Open Source

• How FreeBSD helps set the standard for supply chain protection
• From journalism to AI: Redefining yourself in tech
• From HTML to AI: What the modern technical writer’s toolkit looks like
• Why your organization needs an Open Source Program Office (OSPO)