What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
Self-Healing Code: How AI Transforms Software Supply Chain Security
Interested in being a guest? Email us at admin@evankirstel.com
The invisible layers of software beneath our applications harbor unseen risks that could compromise entire organizations. Nick Mistry CISO from Lineaje Inc pulls back the curtain on why software supply chain attacks like SolarWinds and Log4j caught so many companies unprepared—despite having robust security programs in place.
Software today can contain dependencies that run 60 layers deep, creating a perfect hiding place for malicious code or vulnerabilities. As Nick explains, "Open source people who develop open source are in it to drive innovation. They're not necessarily in it to maintain that software over time." This fundamental tension sets the stage for the security challenges we're witnessing.
What makes Lineaje approach different is their comprehensive scanning of both source code and compiled binaries to detect tampering, combined with their "Gold Open Source" program that provides pre-vetted, secure components. Most exciting is their "agentic AI" technology that automatically remediates vulnerabilities without breaking applications—completing in minutes what would take developers weeks to accomplish manually, all while keeping sensitive code within your environment.
The conversation takes a fascinating turn when Nick discusses how AI is transforming the threat landscape itself. "The old world of prioritizing vulnerabilities based on exploitability is quickly becoming outdated," he warns. "Threat actors can now use AI to get any vulnerability, whether it has an exploit or not, and create an exploit almost overnight with very little skill." This reality demands a fundamental shift in how we approach software security.
Want to take immediate action? Start by creating a comprehensive Software Bill of Materials (SBOM) for your applications. Join us at the Lineaje Software Supply Chain Summit on August 4th at #BlackHat to learn more about using AI for security and securing AI itself.
More at https://linktr.ee/EvanKirstel
Hey everyone, fascinating chat today as we talk about why the software supply chain is such a big security risk right now, with a true expert and innovator in the field. Nick, how are you? I'm doing well, evan, how are you Good? Thanks so much for joining Really hot topic. Maybe introduce yourself and the journey to Lineage and tell us about the big idea behind the company.
Speaker 2:Yeah, no, absolutely.
Speaker 2:So you know my background, as I spent several years within large organizations managing cybersecurity specifically AppSec, vulnerability management, cloud security and was running into this issue around software supply chain SolarWinds was the first one, and then came around Log4j, and I was really starting to bang my head against the wall saying what's going on here and really wanted to dive in and understand what is the cause of these issues in the software supply chain, especially after Log4j, and Log4j had automated the CICD pipeline DAS, sas, you name it and it didn't save me.
Speaker 2:It couldn't help me at all with Log4j, and so that's really where I really dove into this area and trying to understand what was happening. Long story short, I met with the CEO and founder of Lineage, who I'd worked with previously in a prior life, and he had this concept. I said, wow, this is great. I've been banging my head for the last six months trying to figure this out and spent time with him and the team, nights and weekends, and finally joined after I was convinced that we have a solution here to address this incredibly difficult challenge.
Speaker 1:Why is it so difficult? What are some of the challenges? Why is it so hard to fix, particularly with, you know, open source software? I think the industry is getting better, but not good enough, clearly.
Speaker 2:Yeah, absolutely. So you know some of the first of all, open source is pervasive, right, everybody knows it, and open source is here to stay. It's driving innovation and it's doing a lot of good things for the industry. The challenge with open source is the fact that open source people who develop open source are in it to drive innovation. They're not necessarily in it to maintain that software right over time. So the one aspect is, the maintenance of open source tends to lag. So you know, vulnerabilities and other risks don't get addressed very rapidly or sometimes not at all right, because there's not an active community, even though that's being used.
Speaker 2:The second issue, though, which I think is equally important, is that it's fairly opaque. So, just like developers and organizations use open source as opposed to recreating the wheel, open source developers use other open source and those open source use other open source, and we see this nested set of we call it dependencies in open source that can go down 60 layers deep, and the challenge with that of not knowing what's actually in the software you're bringing in is that there are risks, vulnerabilities, but other risks deep inside that supply chain as well. As we know, there are bad actors that understand that opaqueness and take advantage of that to either insert back doors or put in compromised components without you knowing that they're there.
Speaker 1:Fantastic, and how does your software work? I mean, what's the secret sauce, the magic behind it, and what does it mean to for real world developers and product companies?
Speaker 2:risks in open source that you are using in your software, but also remediating them, and remediating them efficiently. So the way we operate is first on the find. We have crawlers. So, similar to how Google crawls the web and indexes the web, we crawl open source. So let's say we find that in your software. Let's say we scan your source code or your container and we find you're using open source package A. We will scan open source package A in GitHub or wherever it is, and we'll scan the source code. We also scan the binary or the deployed artifact that it produces. Oh, wow.
Speaker 2:And so what we do is we do a comparison and then we do a partial build. We actually do the build, run the build script. So the reason we do all of that is we're also we're capturing risk at multiple dimensions. You know what's in the source code, who's contributing, what's the contributor behavior? Does the build match what should come out from running that source code build? And we start finding discrepancies and we start finding what we call tamper risk or risk of tamper. And that's how we like the XE util attacks, a classic example where somebody modified the build script. Nobody knew about it and then made a change in what was the build artifact, but you would not find it in looking at source. And then we do this for every dependency. By running the build, we actually find 100% of the dependencies for each package and then we crawl all the dependencies down to the nth level the name of the company's lineage. We discover the entire lineage, if you will, of your software and identify these risks. And once we identify the risk, it's really looking at remediation.
Speaker 2:And so, from a remediation standpoint, one of the things we've started doing is how do companies and large software development shops start secure, right? So the big issue is you're bringing in vulnerable or risky open source. So we launched gold open source, and gold open source is vetted, safe open source. It's free of critical and high vulnerabilities. It also passes our integrity checks so we make sure there isn't a tamper or a risk of a tamper or a compromise in the supply chain as well. So now you can start secure by using gold open source, secure packages, secure images that are validated and verified and we give you full details. You know SBOM, provenance, everything you would need to know in order to get the confidence that it is a secure open source. And the second thing is automating the source code, the remediation and source code. So we have AI that will basically rebuild from source the or vulnerable open source components with what we call gold open source or secure open source.
Speaker 2:And the third piece is containers. So we know, in containers we're bringing in a lot of other open source vulnerabilities. We will actually create a duplicate of your container, fix it and then give it back to you. So all of this happens within your CIT pipeline. None of your software or containers actually leave your environment. And then, fourth, we're doing continuous monitoring. So let's say, a new log 4J comes out, a new zero day, we will be able to detect it. We have a software bill of materials, for all of your deployed applications can identify exposure and go back to number one, right, see, if we have a gold open source version. If not, we can also create a clean version. So we will fork branch open source, fix it and contribute it back if necessary.
Speaker 1:Sounds amazing. You're also introducing something called agentic AI for self-healing code. Now that sounds intriguing. How does that work open?
Speaker 2:source components is that it's deeply interconnected with existing software, right? The blast radius or the dependencies or compatibility changes are causing breakages in their applications. And so what we do with the agentic AI is it actually figures out what are all of the changes to remediate the greatest number of vulnerabilities without breaking your software. So we do a full analysis, dependency tree analysis, and that way the agentic AI can make updates knowing it's not going to break your software, and removes that burden from the developer, and does it extremely fast. We're talking in minutes, right. We're doing these remedial patches and then, since we're integrated, the agentic AI is integrated into your CICD pipeline. You run your same battery of tests, so it doesn't go outside of your normal development cycle. It simply automates the process of fixing or mediating those risks.
Speaker 1:Wow, Amazing. So let's talk about the people side of the equation. We all know that DevSecOps teams are sort of overwhelmed. You can't really hire this talent easily, to say the least. What does it mean for the people side of the organization and giving folks? You know more job satisfaction or visibility control over their work, which is kind of stressful.
Speaker 2:No, that's huge. And what we're finding is we're taking this approach leveraging the agentic AI to help offload what is not a fun job, right, Having to figure out what are the vulnerabilities and then debating whether the vulnerability should be patched. Is it going to break my software? Is there an alternative version?
Speaker 2:So now, removing a lot of what is painful from DevSecOps and focusing on driving changes efficiently, without asking humans to do this grunt work, if you will, to do this kind of this grunt work, if you will, the other thing we're finding, working with our customers this approach actually unifies the dev teams a lot closer to the security teams, because now it's not simply, yeah, we found these vulnerabilities, go fix it. It's let's, okay, we found these vulnerabilities, we'll leverage agentic AI to remediate. So you know, dev teams, you don't have to. And then we're still testing. So we know, you know it's not going to break your software. And the net effect is these teams are actually working closer together because they are aligned on both, which is, you know, making software more secure but, at the same time, doing it much more efficiently.
Speaker 1:Fantastic. And so what one thing a CISO could do today or immediately to kind of reduce their software supply chain risk. Any suggested first steps yeah, absolutely.
Speaker 2:I think the basic first step is making sure you have a software bill of materials, or an SBOM of all of your software. Knowing exactly what's in there and then understanding the risk of all of those components is number one, I think in cybersecurity, having an inventory, if you will, understanding everything you have, is always step one, and it's incredibly important to understand all of the components in your software than to be able to manage risk.
Speaker 1:Fantastic advice. So I guess the question is are we moving fast enough? I hope your sales are booming and customers adopting, but is that enough to avoid some pretty big disasters that are potentially on the horizon?
Speaker 2:terrific. However, as you know, the landscape's always changing. It's always shifting. One of the things that we've discovered, as well as there's been some reporting around it, is with AI. The old I would call the old world, which is not quite yet the old world of prioritizing vulnerabilities based on exploitability and other dimensions is quickly becoming outdated, mainly because the threat actors can now use AI to get any vulnerability, whether it has an exploit or not, can create an exploit almost overnight, right, and they can create these exploits with very little skill is the other issue, right? So AI closes that skill gap.
Speaker 2:So now you know, do you spend time figuring out how to prioritize so that you can remediate some things now and remediate other things later? I think that luxury goes away, right. I think now you shift it to how do I remediate the maximum number of you know vulnerabilities as quickly as possible? And the main reason for that is, like I said, you know, we know the vulnerabilities are out there. We know the threat actors are using AI to write exploits for those. So we need to shift the model, and this is where we believe AI and the use of agentic AI really helps, because now you know the big, I guess threshold was always the impact on your development teams. Offload that to agentic AI to do the automated patching you know really frees up now your resources to focus on building new features while driving vulnerabilities out of your software.
Speaker 1:Brilliant. You make it sound so simple. If only it were the case. But what's next with Lindyage? Where do you see yourself going? The biggest opportunity to help customers over the next couple of years?
Speaker 2:Yeah, absolutely. What we're really focused on, as I mentioned, is making sure that we don't not only find risk but remediate risk and do it in a way that is efficient and effective for our customers. In a way that is efficient and effective for our customers, and so where we see what we're focused on is continuing to develop AI and agentic AI with regard to remediation, the goal to open source and also focusing on how do we help customers. That everybody's building code now with AI, right, so we have code generation tools out there understanding how to manage the risks one identifying the risks and managing the risk with code generated by AI and so that's been a big, strong focus of ours. We're involved in many of the industry working groups around AI and AI. Bill of materials is also something we see on the horizon as an important component to understanding risks of AI. So really, you know that's that's we're going to. Probably not probably we'll see some some new capabilities later this year focused on addressing co-generated AI.
Speaker 1:Fantastic. And where can folks meet you or the team? I see you're at Black Hat, that's right. Maybe even with your own events, you have DEF CON coming up. Where are you out and about over the next few?
Speaker 2:months? Absolutely, we'll be at Black Hat, and on August, on Monday August 4th, we're hosting what we call the Lineage Software Supply Chain Summit. We have speakers from industry, from government, subject matter experts. The goal here is to really share a lot of the thought leadership regarding software supply chain security. And, no surprise, the theme for this year's event is AI for security and securing AI right. So it's really looking at it from both sides in terms of what's the opportunity with AI and then what are the risks with using AI and how do we secure them.
Speaker 1:Brilliant Well. Congratulations on all the success and helping customers on such an important domain, onwards and upwards. Thank you very much, evan. Thank you and thanks everyone for listening and watching and check out our new TV show, techimpact TV, now on Bloomberg and Fox Business. Thanks, nick, thanks everyone, thank you, bye-bye.