AI, Open Source, and the Security Challenges Few Leaders See Coming

[00:00:00] If you are running a business right now, you may have noticed there's a quiet shift happening. One that most people are still underestimating. And that is your company doesn't live inside your network anymore. It lives inside the browser. That's where your SaaS apps sit. That's where your data moves. And increasingly, that's where attackers are focusing their attention. So NordLayer has just launched its new business browser.

[00:00:28] And it's designed specifically for small and medium-sized companies that need visibility and control without the overhead of enterprise security tools. What I like here is the balance. You get advanced protection, better compliance, and full visibility into how your team is working online, but without slowing anyone down or forcing them to learn anything new.

[00:00:52] So please head over to nordlayer.com slash browser and check it out and let me know your thoughts. But now, on with today's show. What happens when software starts moving faster than trust can actually keep up? Well, today on Business Tech Perspectives, I'm joined by Brian Fox. And he's the CTO and co-founder of a company called Sonatype.

[00:01:17] And we're going to discuss the company's software supply chain report and why the risks facing modern software teams are entering a new phase right now. And he will also explain why software supply chain security can no longer be treated as just a niche developer issue. It's not a boardroom, regulatory, and business resilience problem.

[00:01:37] So we will discuss today dependency sprawl, poison packages, vulnerability data gaps, AI hallucinations, and why leaders need to start understanding what is actually inside their software that the business depends on. But this is also a conversation about opportunity. And Brian will make the case today that AI used responsibly and supported by real-time data can help software teams build faster and safer.

[00:02:03] The challenge, though, is knowing where that risk sits before it becomes a crisis. And with that scene set, let me introduce you to my guest now. So thank you for joining me on the show today. Can you tell everyone listening a little about who you are and what you do? Sure. Thanks for having me. My name is Brian Fox. I'm the co-founder and CTO at Sonatype. Sonatype is a company we run, Maven Central.

[00:02:30] So if you're doing Java development, you're probably using open source Java. You're getting those components from us. That's just a thing we've done for the community since basically before our founding, as we were early contributors to Apache Maven, which is the dominant Java build system. It's not what we do to make money.

[00:02:50] We have a repository manager called Nexus that is a caching proxy for not just Maven, but NPM and Python and, you know, you name it, Docker, all the things. And we also do software supply chain security tools. Some people call them SCA, software composition analysis. We've been doing that for a very long time as well. And personally, I spend a lot of my time.

[00:03:15] I'm on the governing board of the OpenSSF, the Open Source Security Foundation, as well as the Finos financial organization and several other related things. And I spend a lot of time these days dealing with open source and security policy, policymakers worldwide, things like the Cyber Resiliency Act over in Europe. A lot of the efforts that CISA has been doing over the past few years as well. So that's a bit about me and a bit about us. Wow, you're an incredibly busy guy there.

[00:03:44] And for people listening and they're hearing about you for the first time, maybe they're not too familiar, but you have just piqued their interest. Can you expand on what Sonatype does and also why you are so closely positioned to analyze the global software supply chain that we keep reading about? Yeah, so with the stewardship of Maven Central, like I said, every open source Java component essentially flows through our system.

[00:04:09] So we spend a lot of time on the front end trying to ensure the security there and forcing that only the trusted people are publishing the right components and things like that. And so that's what led to some of the early insights back, I don't know, 15 years ago.

[00:04:25] You know, we would be looking at the data traffics of popular components and asking ourselves, why is it that the most popular version of this particular crypto library is the one with a level 10 vulnerability that's been fixed for five years? Why is that the case? We started making those observations in 2012 and we've been basically on a journey to try to help people understand the problem and fix the problem. You know, we've been talking about this since well before log for shell.

[00:04:54] In fact, when log for shell finally happened, I kind of looked around and was like, I mean, yes, it's widely impacted, but there's literally nothing new here. But it was new to a lot of people because they hadn't really understood, you know, the rise of how many open source components were actually being put into, you know, custom software. Leaders didn't really understand that because they grew up in a time like I did where we literally started at, you know, the C prompt and just wrote everything ourselves.

[00:05:23] Pulling in reusable binaries was only a dream. And so, you know, I think there was historically a mismatch around that. And this visibility also helped us start recognizing the rise of intentionally open source malware. 2017, we started talking about that, trying to raise awareness. We built capabilities to defend customers from it.

[00:05:46] But I would say only in 2025, 2026 is it really like having its log for shell moment where, you know, you're seeing the Shah Hulud and all these other now named repetitive attacks coming out. These are the very same things that we observed and started helping to defend against, you know, what? It's gosh, it's nine years now. Right. So so this feels like a pattern for me.

[00:06:10] Frankly, you know, we kind of see problems, we try to solve them and it takes a very long time before before everybody kind of catches up to where we are. It's frustrating because it feels like some of these things were were avoidable, you know, and similar problems are happening with AI. I think we're reliving that right now. We just don't know how that movie is going to end. Yeah. A hundred percent with you.

[00:06:32] And another thing that put you on my radar was your software supply chain report, which stated that software has reached machine scale, but trust has not kept up. So for the business and engineers listening, tell me more about what that means in a language everyone can understand so we don't lose anyone here. Yeah, sure. So for I think it's been 11 years now, we we have created what we call the Sonotype State of the Software Supply Chain Report.

[00:06:58] And part of that was trying to solve the problem I mentioned before, which is raise awareness, get people to understand, provide real data, not opinions, but actual facts and data and do deep research. We published the this year's latest report. It was in the January, February timeframe this year. So not not too long ago. And of course, this little thing called AI is on everybody's mind. So that obviously dominated some of the research we did.

[00:07:24] And so what what we've done and we've we've had a series of follow on reports because shocking, everything's moving so fast done, too. And we have a little another one that's about ready to go out soon in terms of the research. And so what we found is that the AI models generally are actually pretty terrible at managing open source dependencies. They're getting really good at writing new code.

[00:07:49] They're getting really good at using the APIs in the in the open source dependencies to do powerful things. They're not good at picking dependencies. And if you stop and think about what the model is, the model is trained on data at a certain point of time. Usually the input data is six to nine months lagging from behind when the model itself was actually released. Right. And the model, of course, is not real time. You know, Opus 4-7 came out.

[00:08:15] What now a month ago for six was I don't remember three or four months behind that. So what this means in the practical reality is that the models don't know anything that has changed about the dependencies in three plus six to nine months in their training data. So they don't know about new versions. They don't know about popularity shifts. They don't know about new vulnerabilities.

[00:08:39] And so if you ask a model to make a recommendation about a dependency, it's doing so nine months in the past. Now, think about that for a minute. Would anybody seriously recommend I want to put a fleet of humans in place and I'm going to run my security program, but I'm going to only ship them a news feed that's nine months old. Like what was going on nine months ago? I don't even remember anymore. Right.

[00:09:05] But but that's effectively what's happening when you're asking your A.I. model that's not grounded with actual data here to assess your dependencies or even to generate new code. It has none of this information. And so what the research actually shows and this isn't something we expected to find. We like to go explore and let the data take us to the conclusion versus, you know, try to use it to prove a hypothesis.

[00:09:28] What we actually found was that the models consistently, all the model vendors, we've looked all the way back to, I think, like Opus 3.5. So well over a year. So the open A.I. models, anthropic models and Gemini models we've compared. And what was kind of interesting is over the past 18 months or so, they've all gotten consistently better at reducing hallucinations. They're all they're getting better at not hallucinating versions, which sounds good. Right.

[00:09:58] But we found unsurprisingly to us is that they've done so by trading off the frequency for which those models have no opinion on the version. So what does that mean? It means it stopped making up an obviously wrong version and started saying two thumbs up. You're good. Don't do anything. Right. Now, what does that mean?

[00:10:24] It means that in the past, a hallucinization kind of kind of problem is fun to look at. It's fun to laugh at the A.I. model because it doesn't know what's going on. But practically speaking, if your build tool tried to build against the version of a component that didn't exist, it's going to fail immediately because you get find it. So I kind of refer to that as like a fail fast kind of situation. It's annoying, but it doesn't really have lingering consequences. Now, what they've traded that off for, like I said, is having no opinion.

[00:10:52] So now imagine you say, OK, go assess all of my dependencies and recommend some updates. And it says, yeah, you're good. Well, how do you know that it's wrong? You don't know that it's wrong. You assume it's OK, especially because most people don't understand what I explain that the data they have is seriously dated. So now you're left in a situation where if you don't know better and you ask for an update and it has no opinion. Now you're left with what I like to refer to as persistent risk because you didn't do an update that you should have.

[00:11:20] You might have some malware in there that you didn't know about. So I would assert that actually the models are moving in the wrong direction on this dimension. Now, of course, Sonatype, with all of the software composition analysis and pipelines that we've run, we've always had a ton of really precise data. So what we've started to do is provide capabilities that can take that data and feed them directly into the AI models via things like MCP queries and things like this. Right.

[00:11:47] So if your tool or your security assessment or if you're generating new code, if it if it's trying to reason about dependencies, it can ask the Sonatype capabilities like, hey, what do you know about this? Can you recommend a better version? Are there updates? Are there known vulnerabilities? Because that's happening at the time the model is being used, not the time the model is being generated. You're now able to insert real time information and then the model can reason about that appropriately.

[00:12:15] So if we come back and say, hey, the latest version of this thing is is 2.5, but actually we're going to recommend 2.4 for the following reasons. The model can take all of that and make sense of it and do the right thing. And so as a result, what we found is even if you take one of the tiny, super cheap, super fast models like a nano model and you ground that with real time information and then ask it to do a dependency analysis.

[00:12:42] It's something like 70 percent better than a frontier model at at fixing the problems because it's the real time data that matters. Right. And that's just you're not going to go to the model and ask it about yesterday's news, which is kind of the equivalent of what's happening when you use a model to just manage your dependencies without feeding information to it. Another thing the report suggests that open source now makes up to 80 to 90 percent of modern applications.

[00:13:11] I knew that figure was high, but not that high. But why is open source become such a focal point, not just for regulators, but attackers too? Well, yeah, I mean, that that that's that we've been using that for a long time. It's been true. I think a lot of people don't realize that still. But, you know, open source captures.

[00:13:34] What I think, you know, if we take a step back, you know, if you look at any modern industry, the way that they've gotten more efficient, safer, more productive is through specialization. And so that means, you know, if you're a car manufacturer, you're likely not sourcing your own metal and making literally every part in the car. You buy the screws from a screw manufacturer, you buy the starters from a starter manufacturer, etc. Right. And so software is the same way.

[00:14:00] And so rather than us sitting down and writing everything from scratch, like what I had to do when I started my career, we can now build on the shoulders of people that are specialists in these different areas and network and databases in, you know, persistence layers and UI frameworks and all these kinds of things and not have to keep generating those things over and over again and also not reinventing them as much.

[00:14:24] And so that allows actual enterprises who are trying to achieve a specific business goal for a customer to assemble these things using the best of breed of all the different things that make sense, wire it together with their domain knowledge and then ship an application. Right. So that's why open sources become so popular because nobody wants to sit down and write all this stuff from scratch. It's kind of it's kind of foolish these days. I think the same is going to happen even with AI.

[00:14:51] AI generated code has made all of this much more cost effective and fast. And some people say AI is going to kill open source. And I think it might give open source some challenges for different reasons. But I think the macro economic pattern will still exist that for things that are commodity heavily reused and are not really competitive in nature,

[00:15:16] we will still come together on these shared components regardless. Like it doesn't make sense for everybody to sit down and spend their tokens trying to recreate spring or react frameworks, you know, things like this. It just doesn't make any sense to do that.

[00:15:35] So a special thank you to Denodo for supporting the Tech Talks Network and helping us keep these conversations going because moving beyond AI pilots all starts with connecting your models to trusted enterprise data. So if you're ready to move beyond AI pilots, Denodo can help you connect your AI models to trusted enterprise data in real time. So you can scale faster and reduce risk.

[00:16:02] So if you're interested in turning AI into business value, simply visit Denodo.com. And before you join me on the podcast today, I was also reading that you mentioned that the automatic reuse and massive dependency graphs are also overwhelming registries. So again, how is this kind of scale changing the risk profile for organizations that are building modern applications? It's something a lot of people don't think about sometimes. Yeah.

[00:16:32] So what this is talking about is a different effort that I've been leading with some of the other package registries. You know, a lot of people think about open source and they think about, okay, open source is free. Yeah. It's free for everybody. And it should be right. And the conversation has long been about companies should contribute back to help pay the maintainers, help support the maintainers, provide engineers to work on the things that you find are critical. That's still a problem.

[00:16:58] But the reality is, for the most part, if you're using open source components, the more you use them doesn't drive up the cost for the maintainer. You know, copying software is effectively free. However, all of those components are retrieved from these public registries like Maven Central, Maven Central and PyPI and NPMJS and Docker Hub, right? These are all examples of these things. The problem is downloading those is not free. It's especially not free.

[00:17:27] This is a real case I was investigating this week. It's not free when you have fleets of data analysis clusters. Every time they start up, they download the same Apache Spark components and their dependency sets, about a thousand components, literally every single time. And so I've found some fleets that were downloading the same 1000 jars 80 million times a week. Those jars never changed.

[00:17:56] They were not, I'm not talking about new versions. I'm talking about literally the exact same file, thousands of them, 80 million times a week. And this is just because everybody said, oh, it's easy. It's in these repositories. They have a CDN. And so I don't have to cache. It's just easy for me to do. And so the net result of that is the costs to run a public repository like this are going through the roof. And AI only makes that worse because we're creating more software.

[00:18:21] We're using more components, you know, and all those kinds of things. So we've been working together with the other package registries to create a series of open letters to kind of talk to the world about this and kind of highlight the fact that the economics of this are just simply not sustainable. And we're trying to get people to do a better job of thinking about how they interact with the package registries, be more efficient, stop wasting all of this energy.

[00:18:48] You know, and I tell people until we figure out how to make electricity free, it will always cost something to download things. And it will cost something a lot more if you're downloading the same thing millions of times over and over and over again. It's just as simple as that. The data also shows, I think, more than a million malicious packages were blocked. And there's also a rise in state-aligned actors that are targeting developer workflows.

[00:19:18] So to paint a picture here, what does that strategic supply chain attack look like this year? What are you seeing? Yeah, I mean, we're seeing increasingly sophisticated attacks. This is the thing I was talking about at the beginning of the podcast, you know, from 2017, the rise of the malicious components.

[00:19:35] In the early days, I think we saw very trivial attacks where people would put a component into one of these package registries, make it sound like something that was out there, and hope that people would download it. And as soon as they download it, the package manager would trigger some scripts. And so basically, it was remote code execution, dropping backdoors, stealing data, things like that. Nine years ago, those attacks were very unsophisticated.

[00:20:03] Most of the time, the builds would fail because the thing they downloaded was just a hollow shell. It wasn't an actual forgery. Fast forward to 2026. Now, especially with AI, we see the creation of sometimes whole pretend fake companies and Slack channels to fool maintainers into changing things, into doing other stuff. We've seen, you know, the rise of them taking the actual component, making it subtly different and harder to detect ways.

[00:20:33] You know, again, AI makes all of this easier to do at scale than it was nine years ago. And so now, I guess I would say the forgeries are much harder to detect, but they are still malicious. And so this is a case that requires a very different approach. If you're talking about vulnerabilities, that's like an unlocked door that nobody might ever notice. Nobody's going to try it. Malware, intentionally malicious components, is more like poison in the food. You don't just go, eh, we'll just leave the food on the table and hope nobody eats it, right?

[00:21:03] You respond to it differently. And so, you know, we've been tracking and building tools to detect this, like I said, since 2017. And so we have the biggest database out there of all of these malicious open source components. And we defend our customers from them. So we have capabilities that we refer to as a repository firewall, you know, Nexus firewall. And it works like a network firewall, but for components.

[00:21:28] And so when one of these things hits the repository, it gets published, we analyze it. And when our customers are trying to make requests for those things through the firewall, it detects that this is malicious and it stops it. That's really the only way to defend against these attacks. You can't go back and chase it out. It's not like, oops, I downloaded the vulnerable version of Log4j, but I haven't released yet. I have time to fix it.

[00:21:53] No, if you've downloaded one of these malicious components, your data may have already been posted to somewhere on the Internet. It's too late. You can't get that back. That's what we're seeing over and over. So these attacks often look more like a smash and grab style where they happen so fast. They grab at whatever the developer system or the CI system has access to, which are API keys, all these other kinds of things, and ship them off before you even have a chance to know that it happened. That's what's happening right now. Wow, that's a scary prospect.

[00:22:23] And another stat that stands out in the report is 65% of new vulnerabilities lack severity scores. So how does incomplete or delayed vulnerability intelligence, how's that affecting real-world prioritization inside security teams? What's happening there? You know, people like to say, Brian, you're always bringing all the bad news, and you're walking me through the entire set of bad news here.

[00:22:46] So historically, NIST here in the U.S., the National Institute of Standards and Technology, has done an extra level of, let's call it, data elaboration on any vulnerability that gets published. So historically, a vulnerability was given what we call a CVE number, a common vulnerability enumeration number, which allows everybody in the industry to know that they're talking about the same thing, right? I've referred to log4shell multiple times here.

[00:23:15] That's what we call the logo name. There is actually a number. I forget what the exact number is these days off the top of my head, but there is one. And so we know this is this precise vulnerability and this precise component. NIST had done a lot of the research to expand and score those things, right? So somebody has to look at this and run it through a system to kind of provide a severity score. Well, there's been funding challenges with that program. And so they've been struggling over the last year or so to keep up with the rise of new vulnerabilities.

[00:23:45] So about 65% of the vulnerabilities that are reported last year had no score assigned to them. Okay, so that was the situation. Sonatypes never really required that. We've always built our own thing in parallel. I think partially because we started so long ago, a lot of these things didn't exist and we had to kind of do our own thing. So we didn't become dependent upon that data. So it doesn't affect us as much as it does many other tools.

[00:24:15] But then the story gets worse. Just a few months ago, NIST came out and basically said they will only be scoring components that are used by federal and state government software. So they have a database that they call KEV, the Known Exploitable Vulnerability. So this is basically intended to say, okay, there's a CVE out there, but nobody's really exploiting it.

[00:24:44] Versus this other one that's out there and it's actively being exploited. So it's almost like a super, super score on that. But one of the things people don't know is that that KEV, the filter for the things that even gets put onto that, is in fact, is it known to be used in software that the federal government or state governments use? It was created to allow them to achieve a particular mandate that Congress put out about how fast they have to respond.

[00:25:13] And so what NIST has come out and said, we're only going to score things on the KEV. So they basically have said now the NIST database is basically only for the U.S. federal government. That's effectively what this means. And so that 65% stat, that was what happened last year. That was before they came out and said, we're not even going to pretend to try to keep up with all of these things anymore. We're just focusing on our own stuff. And effectively, you guys are on your own. Wow.

[00:25:43] And AI assisted development, let's throw that into the mix as well. It is increasing speed. But on the flip side, it's also introducing risk or non-existent packages. But believe it or not, we are both optimists and solutions, not problems kind of guys deep down. So on that side of things, how should leaders be thinking about how AI is both an accelerator and a risk multiplier? It's not about spreading doom and gloom. There's a lot of things people can do to prepare, right? Yeah, they can prepare.

[00:26:12] I think the first thing is what I was talking about before. Make sure that whatever you're using AI for in your software development or even your security analysis, analysis, if it's trying to reason about dependencies, you need to be able to ground it in that real-time data. Just like full stop. If you're only using a model, any model, it's going to produce terrible results. And worse, it's not going to be immediately obvious on its face that they're terrible. That's the problem. So we've done the analysis. We can show our work.

[00:26:41] Go check out the report if you don't believe me. But that's the first thing. The other thing that I think leaders need to be really thinking about is, you know, you've probably heard of Project Glasswing and Anthropics' new model called Mythos. Not a lot of people have access to it.

[00:27:01] And the big breakthrough, reportedly, about Mythos is its ability not really to find vulnerabilities, but actually to look at vulnerabilities that are out there, whether they're known or they're zero days and undisclosed, and actually stitch them together in a way that allows it to create an active exploit. So modern tools are, modern models already are pretty good at scanning code and finding vulnerabilities.

[00:27:29] Where they're not as good at Mythos is figuring out what to do with that and how to actually use it to break into software. Mythos is reportedly much, much better at that. So what is that going to mean? As soon as that comes out, what it means is everybody who has access to it and can afford it, which kind of slants you to well-funded nation-state types of attacks, let's be honest,

[00:27:53] are going to be scanning open source, looking for these types of vulnerabilities, trying to chain together exploits. What's going to happen then as a result is, well, we're going to see a lot more attacks, but there's also a lot of people, white hats, that are going to be doing the same thing. And so that's going to create a barrage of new vulnerability reports. The same system I just told you was not able to keep up and then they quit trying.

[00:28:22] Not going to get better. The open source maintainers who are already struggling to deal with it, they're going to get swamped in both real and fake vulnerability reports. So they're going to struggle to keep up and actually fix these problems and ship them through. And then all organizations that are building software need to be preparing for a major step function and the number of vulnerabilities that they're going to have to track, they're going to have to remediate in their own software.

[00:28:49] So I do expect there quite literally is a tidal wave on the horizon and only some people are preparing for it. It's kind of a big deal. And even we're still trying to figure out how will we think about that? How do we think about what the inevitable situation will be if we get 100,000 projects trying to release all of their patches next month? What are we going to do to make sure that those things can get out to the world, right? Because we have an important part.

[00:29:18] Not many companies get to say that, but we can clear the streets to allow the ambulance to get through, if you will, to get these things out. We did that with Log4Shell. But can we do that or how will we do that if we have a thousand of them a day, every day coming? I think that's the magnitude that we need to be preparing for. I think the good news is, I hope, is that's a short-term problem.

[00:29:46] What's effectively going to happen is with the rise of these tools and this breakthrough, we're going to be across the industry paying down decades of security debt, right? All these vulnerabilities, they've been there all along. We just didn't have the ability at scale to find them and to exploit them and to fix them. That will only last so long. If we go through this major burst, we'll come out the other side, hopefully, with more secure software, and then things will be back in balance.

[00:30:14] There will always be attackers looking for new things, but then the maintainers will be armed with the same tools. I think in the short term, though, there's going to be an imbalance in that, and we're all going to have to deal with that over the next three to six months. And I always like to try and give everyone listening some valuable takeaways. And with regulations such as the EU Cyber Resilience Act over here and the new U.S. federal requirements tightening enforcement,

[00:30:41] are there any practical steps that leaders and organizations should be taking today to embed transparency and compliance directly into their pipelines? Anything that you'd recommend here? Yeah, I mean, I think it's the same advice I've been giving for a decade. You know, if you found out about a vulnerability now, how quickly could you understand are you using that component, which applications are you using it in, and how quickly can you remediate it? I've been giving that advice for 15 years.

[00:31:09] What I think if I were to change that into mythos, if I said, if I dropped a thousand of you in 10 minutes, what are you going to do? It's the same questions, but scaled up. And so, you know, if you don't already have a pipeline where you already accurately understand your bill of materials across all of these things, if you don't already have a process in place to triage or remediate and then ship patches to them, man, you better get going because it might be too late. Mythos is not that far away, right?

[00:31:39] And so that's kind of my advice, that if you're not prepared for these things, if you don't already have that in place, you better stop the presses and figure it out really quickly because this is something that we haven't seen in a long time. And to finish on a fluffy kitten or little puppy kind of story, what makes you optimistic or maybe even excited about the future? Anything that we can end on a positive note there too?

[00:32:07] That's a hard turn after this conversation, isn't it? I'm completely flipped you. I mean, I think at some level, you know, it's hard to imagine where all of this goes with AI. You know, there's a lot of talk about AI is going to displace software engineering. And I think what it really just means, it's a new level of abstraction. You know, engineers, they're just moving to different tools. There was a time when software was written in punch cards. That predates me a little bit, just to be clear.

[00:32:34] But, you know, we're moving to that next level. Our ability to create really innovative and powerful software is being transformed like I've never seen. And so I think there's reason to be optimistic about our ability to do that. I think it's just sort of, it's a little bit unclear. We're seeing disruption across many industries simultaneously, which is not something I think humanity has really ever seen, not at this speed before.

[00:33:03] And that creates a lot of anxiety. But I do think at the end of the day, it will make us more productive and allow us to do a lot more things a lot more quickly. And it will just take a little bit of time for the economy and society to kind of normalize that. But I do think at some level, this is progress like we've always seen, just a little bit bigger and faster and all at once. But it's still good forward progress nonetheless. 100%.

[00:33:32] I think that's a perfect moment to end on. But we did cram a hell of a lot in 30 minutes there. So anyone wanting to find out more about you, Sonatype, the report that we referenced as well, where would you like me to send everyone? Yeah, go to our website, sonatype.com, S-O-N-A-T-Y-P-E.com. And there's a resources section which has the report, all the previous year's reports as well, if you want to go back and see this evolve, as well as the incremental updates that we've been publishing that I referred to.

[00:34:02] Awesome. I'll have links to everything you mentioned now. I urge everyone listening to go check that out. They'll be in the show notes, even also on the blog post at techtalksnetwork.com as well. Check it out. Let me know your thoughts on that, and we'll keep this conversation going. But thank you so much for taking the time to sit down with me today and talk about all this stuff in a language everyone can understand. Appreciate your time today. All right. Thank you. A big thank you to Brian Fox from Sonatype

[00:34:29] for joining me here today on Business Tech Perspectives. And one of the many things that stood out in this conversation is just how much of a modern business now depends on software that most leaders never get to see. An open source has made innovation faster and cheaper, but it is also creating a trust problem that attackers are increasingly exploiting. And Brian's message seemed to be clear there. If organisations do not know what components they are using, where those components came from,

[00:34:58] and how quickly they can respond when risk appears, they're already behind. Sobering thought. And you can find that software supply chain report that we mentioned and other resources over at sonatype.com. I'll include links to everything. But as always, I'd love to hear your thoughts. Are businesses finally taking software supply chain security seriously? Or will it take another log4shell-style moment to force the issue? techtalksnetwork.com. Let me know.

[00:35:25] I'm going to go find another guest for this podcast now, but I'll be back again real soon. Thanks for listening. Bye for now.