Get your free personalized podcast brief
We scan new podcasts and send you the top 5 insights daily.
A novel security strategy involves 'AI vendoring': instead of importing a fragile open-source dependency, an organization can task its own agentic coding system to generate a new, proprietary version of that functionality. This brings the code under internal control, eliminating risks from third-party repositories.
Related Insights
The attack on the widely used LightLLM package demonstrates a major software supply chain vulnerability. Malicious code inserted into a routine update silently stole credentials from countless AI tools, a risk that will be amplified by autonomous AI agents.
The same AI technology amplifying cyber threats can also generate highly secure, formally verified code. This presents a historic opportunity for a society-wide effort to replace vulnerable legacy software in critical infrastructure, leading to a durable reduction in cyber risk. The main challenge is creating the motivation for this massive undertaking.
AI agents prioritize speed and functionality, pulling code from repositories without vetting them. This behavior massively scales up existing software supply chain vulnerabilities, risking a collapse of trust as compromised code spreads uncontrollably through automated systems.
Instead of importing external libraries, AI agents can rewrite them from scratch. This 'in-housing' of dependencies strips away unnecessary generic features, focusing only on required functionality. This simplifies security reviews and patching, as the code becomes first-party.
AI tools that automatically write applications often pull assets from open-source libraries. This creates a massive security risk, as these agents must be explicitly directed to use secure, vetted repositories to avoid introducing vulnerabilities at scale without human oversight.
Inspired by ESG's Scope 3, which assesses supplier impact, building secure AI requires preemptively vetting the entire software supply chain. Companies must treat open-source packages and dependencies as suppliers, ensuring every component is secure from the start, rather than reactively scanning for flaws.
Anthropic's AI found thousands of vulnerabilities in supposedly well-vetted open-source code. Because this code is widely copied and embedded in countless enterprise systems, these flaws represent a massive, previously unknown attack surface across global digital infrastructure.
Instead of shipping compiled libraries, provide a detailed specification for an AI coding agent to read and implement locally. This emerging 'ghost library' model creates minimal, custom implementations, reducing bloat and making the code fully owned and modifiable by the local agent ecosystem.
Unlike traditional software, AI agents can compose new dependencies on the fly by loading external tools, installing packages, or altering infrastructure. This creates a dynamic, multilayered supply chain risk that evolves at runtime and cannot be managed with static vulnerability scans alone.
While AI will increase cyber risk by enabling faster vulnerability scanning and generating potentially insecure code, it will also be the solution. AI agents will be needed to review code and defend systems, creating a massive new market for "agentic security" companies.
