More The Secure Disclosure episodes

AI Broke the Security Ecosystem w/ Chris Hughes thumbnail

AI Broke the Security Ecosystem w/ Chris Hughes

Published 22 May 2026

Duration: 00:31:50

Evolving cybersecurity challenges include supply chain threats, AI vulnerabilities, and outdated tools, highlighting the need for systemic reforms like developer incentives, regulatory clarity, and industry-government collaboration to address gaps in vulnerability management and the dual risks of AI's role in both threat detection and exploitation.

Episode Description

In this episode of The Secure Disclosure, host sits down with Chris Hughes founder of Resilient Cyber, CISA Cyber Innovation Fellow, and a leading voi...

Overview

The podcast explores the evolving challenges in cybersecurity, emphasizing the "scary" state of the field due to systemic vulnerabilities, supply chain threats, and AI-related risks. It highlights the paradox of using AI to address AI-driven security issues, noting the difficulty of keeping pace with rapid advancements. Open-source software supply chains are identified as a critical risk area, with vulnerabilities like Log4j and SolarWinds underscoring the dangers of relying on under-resourced maintainers and widespread use of open-source components in infrastructure. The discussion also critiques the limitations of current security tools and scanning technologies, which often fail to detect modern threats like AI-generated malware or malware embedded in recent incidents, such as Axios and LLM frameworks.

Systemic gaps in software supply chain security are analyzed, with a focus on the growing complexity of securing dependencies and the high ROI for attackers targeting widely used open-source components. The podcast addresses the challenges of outdated regulatory frameworks, insufficient transparency in vulnerability disclosures (e.g., NVDs backlog of unenriched CVEs), and the tension between human verification and AI-driven prioritization of security issues. It also critiques the limitations of existing approaches like DevSecOps and "shift left" strategies, which often fail to address false positives or break down silos between development and security teams. The role of AI in accelerating vulnerability discovery and exploitation is discussed, with both opportunities for proactive risk management and growing concerns about escalating threats outpacing defenses.

The conversation touches on broader organizational and cultural challenges, including misaligned incentives for developers prioritizing performance over security, the burden of balancing security with operational priorities, and the need for systemic reforms in tooling, policy, and industry collaboration. It also reflects on the future of bug bounty programs, the paradox of dependency management, and the evolving landscape of open-source philosophy, critiquing traditional practices in engineering and software development. The podcast underscores the necessity of risk management over absolute security, acknowledging that while innovations like AI can enhance detection, they also create new vulnerabilities, requiring a nuanced approach to defending against an increasingly complex threat environment.

What If

  • What if you prioritized auditing your open-source dependencies with a focus on supply chain risks?
    Concrete move: Implement a quarterly dependency audit using tools like Snyk or Dependabot, with a special emphasis on components with high exposure (e.g., those in the CISA Known Exploited Vulnerability catalog).
    Why_now: The open-source ecosystems attack surface is growing, and high-profile vulnerabilities like Log4j demonstrate the ROI attackers gain from targeting widely used components.
    Expected_upside: Proactively identifying and mitigating risks in your codebase reduces exposure to systemic vulnerabilities, improving your products resilience and reducing long-term remediation costs.

  • What if you integrated AI-powered vulnerability detection into your CI/CD pipeline but with human-in-the-loop validation?
    Concrete move: Deploy an AI-driven SCA tool (e.g., CodeQL, Mythos) to scan for vulnerabilities in real-time during builds, followed by a manual triage step by your team to verify false positives and contextualize risks.
    Why_now: AI is accelerating vulnerability discovery, but existing tools struggle with false positives and lack exploitability context, creating a gap between detection and actionable remediation.
    Expected_upside: Youll leverage AIs speed for initial detection while maintaining human oversight to avoid over-reliance on automation, aligning with the industrys pivot toward runtime security and contextual prioritization.

  • What if you adopted a "zero-trust" approach to dependency updates by blocking auto-upgrades and requiring explicit approval for patches?
    Concrete move: Configure your package manager (e.g., npm, pip) to lock dependencies at known-safe versions and require manual approval for any updates, even from trusted sources.
    Why_now: Auto-upgrades risk introducing malware or unstable changes, while pinned versions leave systems exposed. The current landscape demands a balance between security and control.
    Expected_upside: Youll minimize the risk of supply chain attacks from compromised package ecosystems while maintaining control over your softwares stability and security posture.

Takeaway

  • Prioritize Financial Support for Open-Source Maintainers: Actively contribute to or fund projects that provide compensation for open-source maintainers, reducing reliance on underpaid individuals and improving security through better-maintained codebases.
  • Implement Secure Dependency Management Practices: Use tools like Dependabot or Renovate with strict policies to automate dependency updates while enforcing security checks (e.g., vulnerability scanning) to mitigate risks from outdated or malicious packages.
  • Integrate Security Tools into CI/CD Pipelines: Embed SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools directly into development workflows to catch vulnerabilities early and reduce friction for developers.
  • Align Developer Incentives with Security Goals: Adjust internal metrics and rewards to prioritize security outcomes (e.g., bug bounty contributions, secure code reviews) alongside feature delivery, ensuring developers are motivated to adopt secure practices.
  • Adopt Alternative Vulnerability Databases: Leverage non-NVD sources (e.g., ANISA, private vulnerability databases) to supplement CVE data, especially for unenriched or outdated entries, ensuring more comprehensive risk coverage for your software stack.

Recent Episodes of The Secure Disclosure

16 Jun 2026 Your Microphone Became a Keylogger w/ David vonThenen

Machine learning analyzes keystroke acoustic signatures to infer typed characters over remote platforms, highlighting high accuracy with known keyboards, privacy risks from surveillance, and challenges in noise and variability, while proposing defenses and noting AI's dual-use implications.

9 Jun 2026 Understand the Software Supply Chain Chaos w/ Roeland Delrue

Rapidly evolving supply chain security threats, including malicious open-source components and AI-driven malware, demand advanced AI-powered solutions like Akito Securitys self-securing software and tailored tools to address vulnerabilities in developer environments and package repositories.

28 May 2026 Prompt Injection Might Never Be Solved w/ Paul Vann

The text details AI security threats like prompt injection, jailbreak attacks, and distillation attacks, along with vulnerabilities such as AI bias and autonomous agent risks, highlighting detection challenges, emerging malware, supply chain exploits, and the industry's struggle to keep pace with rapidly evolving AI technologies.

15 May 2026 PostHog is placing a wild bet on AI Coding w/ James Hawkins

Recommended: Should you go open source?

PostHog's open-source analytics platform prioritizes transparency, developer autonomy, and AI integration while critiquing corporate norms, emphasizing price clarity, building in public, and balancing automation with security governance in product development.

6 May 2026 AI Panic is Driving Shadow IT w/ Noora Ahmed-Moshe

AI's impact on employment and cybersecurity risks, driven by shadow AI, phishing, and emerging threats like prompt injection, require balancing workforce skills, security measures, and organizational trust.

More The Secure Disclosure episodes