AI + a16z Podcast: Combatting Modern Supply Chain Attacks with AI

Socket CEO Feross Aboukhadijeh recently joined a16z partner Joel de la Garza and Derrick Harris on the AI + a16z podcast, which features discussions with leading AI engineers, founders, and experts. This episode focuses on the emergence of powerful generative AI models, which offer new defensive capabilities to the security industry at a time when the threats are starting to outpace our outdated detection tools.

The world of software supply chain security is facing an onslaught of attacks, from the highly sophisticated xz-utils backdoor incident to your regular run-of-the-mill, low-effort attempts at stealing credentials or environment variables. Traditional tools focused on scanning for known vulnerabilities are no match for the increasing volume and novelty of these attacks that leverage open source packages to compromise supply chains.

"The whole security industry is pretty focused on, and maybe almost to the point of obsession, with known vulnerabilities,” Feross said. “You don't stop the next backdoor with a CVE database."

This episode also explores how business priorities, resource constraints, and organizational politics often dictate how companies approach security, leading to situations where crucial aspects are addressed too late or lack proper ownership. Socket’s developer-first approach is aimed at integrating proactive measures earlier in the development life cycle.

“That's where we like to encourage people to think about this earlier in the process,” Feross said.

“I know shift left is a buzzword at this point, but it is actually true that it's 10 times more expensive to fix problems once they've landed in the main branch of your repository than if you can kind of nudge the developer earlier on in the process.”

This episode highlights the challenges of using AI for threat detection while also recognizing the importance of providing meaningful alerts to avoid alert fatigue. AI has the potential to augment both detection and explanation, helping security teams identify vulnerabilities and understand the behavior of malicious packages.

Check out the episode below for the full conversation.