AI and Software Supply Chain Security: Proceed with Caution
In this episode, Matt touches on the newfound popularity of AI in relation to Software Supply Chain Security, pointing out the concerns he has for this technology being used by both good and bad actors.
• More RG: Supply Chain in Art and Life
• Blog: RSAC 23: Supply chain and AI
• Special: The State of Supply Chain Security
MATT ROSE: Hi everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode, as you can see across the board is AI and [Software Supply Chain Security]. A little bit of a recap here a couple weeks ago, I'm sure a lot of you attended RSA and every year at RSA there's a theme.
You see something over and over again in messaging and presentations and brochures and all that, and through an unofficial kind of investigation this year, AI, SSCS or software supply chain security, and SBOM seemed to be on everybody's radar this year. Everybody wanted to talk about AI for different applications, ChatGPT changing the world, blah, blah, blah, blah, blah.
But it's interesting to think about AI, SSCS and SBOMs as a kind of, entity in together. That's why this episode is entitled AI and SSCS. Just always gotta start with a little bit of humor in all my references. Whenever I hear AI, I immediately go to Skynet, if anyone's a Terminator fan, Skynet terminators took over the world, all that good stuff... AI is getting there.
We're not there yet, but I always caution people that, hey, we've already seen this foreshadowed by Terminator. Maybe we should be a little cautious with how we're using AI. And that's the point of this episode. So thinking about applications in software supply chain security or software supply chain in general associated with AI.
You can think about a couple use cases here and just these are things to think about is, anybody can now say, hey, AI platform that I like a lot: generate malware. I wanna see some malware. I'm gonna create malware. Okay, interesting. People can actually do that. And again, it's all about the data that's out there and crowdsourced.
So a developer or somebody could use it to create malware and now you have another, nefarious dude as I like to call 'em out there. The second one is developers, like the open source initiative using AI or a AI platform, like again, ChatGPT, I'll just use that one, to write some code, hey, ChatGPT, I gotta do this stupid thing.
Write me some code in Python or whatever it is, or write me some code in C Sharp. And you get a little piece of uh, application. But again, where is that data coming from? So a developer using it to write code that they will put into a production application concerns me with supply chain security risk because again, they're using that to generate code and that source of wherever that code created is unknown. Not everybody understands an application. You still don't know where the Chat GPT or other AI type of platform is using it. So developers using that is very dangerous. And then the third area to really think about is people creating content.
Again, there's a Nvidia just released a platform called NEMO Guardrails around access to data or what an AI solution could be. I think this is a really important step in to say, okay, I'd like to use a AI platform for correlation of results or generating a job description.
I have a friend that does that. But really when you put your data into a AI platform to create something, you may be compromising company secrets. You may be compromising customer data 'cause you're saying, hey, here's all this data. Create me something interesting. So it's another lens of risk within the supply chain that if you're using this to create something that you put into your product, it may be that disassociative path of information getting in, in an unanticipated way. So again, big topic at RSA, AI and SSCS. There's a bunch of things coming out on how AI can be used in application security or security in general. There's good applications, but there's always questions about using it in ways that circumvent the protections that you're focusing on for your software supply chain security initiatives.
I'm Matt Rose, Field CISO, ReversingLabs. Hope you enjoyed this episode of ReversingGlass. Have a great day.