AI Code Security: How to Balance Speed & Risk in the New Software Era

Description

“Every 10 years, there’s a tectonic shift in how we build software… and we’re at the next tipping point.” AI is transforming how code is written, tested, and deployed — unlocking incredible speed. But with that acceleration comes a familiar question: are we managing the risks as fast as we’re innovating? At the Singapore International Cyber Week (SICW), Sunny Rao (SVP, APAC, JFrog) shares three key shifts reshaping software security posture 👇 🔹 The Shadow AI Threat 🔹 From SBOM to MLBOM 🔹 Speed vs. Visibility As Sunny concludes, “-you want to see AI and software proliferate at speed, but secure”. The goal isn’t to slow innovation — it’s to embrace speed, securely. ----- 00:49 – Intro - AI turning us all into software builders? 01:25 - Reshaping roles: from tedious coding to creative problem-solving and innovation 01:38 - New challenge: balance creativity with governance, compliance, & risk management 01:55 - AI for Bad Actors: Are Cybercriminals Using AI to Write Malware? 02:08 - AI-enabled software: ammunition to bad actors boost the scale & speed of malicious attacks 02:51 - AI: Teach Non-Coders to Build Software? 03:16 – What is Vibe Coding? 03:27 - AI coding: useful for quick ideation & prototyping 03:40 - For commercial & enterprise production: apply human oversight; evaluate compliance, stability, vulnerabilities 04:09 - Risks: AI Learning & Repeating Old Code Vulnerabilities? 04:45 – “Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack 04:57 – “Top 25 MCP Vulnerabilities reveal how AI Agents can be exploited” 05:11 – “The side effects of using AI for coding” Cybersecurity implications” 05:25 - Attack surface is growing; balance speed, security, & innovation 06:02 - AI Native Risks: Hallucination? 06:33 – “Vibe coding Fiasco: AI Agent Goes Rogue, Deletes Company’s entire database” 07:06 - AI: amplifying existing security weaknesses 07:16 - Build a foundation leverage proven, robust software development practices 07:25 - AI is software; apply existing security, governance, compliance standards 07:44 - Shadow AI: Emerging risks? 07:56 - AI models from the web: pose the same risks as unverified open-source code 09:21 - Another risk: Guarding the Inputs into AI? 09:38 - Integration for tools like GitHub Copilot; real-time vetting of Copilot code suggestions 09:58 - Example checks: vulnerabilities, transitive risks, adherence to compliance policies 10:10 - Real-time checks: ensure that security is built in, not bolted on 10:45 - Security for Software in the AI era? 11:05 - Reduce production delays: pre-screen open-source code & AI models 11:59 - Next: Continuous scanning for tradition & AI software to include e.g transitive risks. 12:36 - Multiple collaborative AI agents: amplifies existing risks mandating end-to-end security, compliance, auditability, control. 12:58 - What is AI Bill of Materials? 13:14 - Machine Learning Bill of Materials (MLBOM): Extending the existing "Software Bill of Materials" (SBOM) 13:35 - Gain visibility into AIs: training data, provenance, compliance, bias, security risks 14:31 - MLBOM gives transparency: models, data sources, licenses, compliance standards 15:23 - What does AI Governance entail? 15:46 - Challenge: evidence collection of the complex, end-to-end software development lifecycle 16:05 - AppTrust: integrates with partners (e.g. GitHub)to collect & centralize audit evidence (e.g. BOMs, approvals) 17:06 - Secure by Design: The Essential First Actions? 18:03 - First: Work with pre-approved, policy-compliant, low-risk resources “shift left” (gate incoming pieces - software, extensions, AI models) 18:30 - Second: establish policies: safe use of resources & extensions for ideation 18:50 - Third: Apply continuous scanning 19:02 - JFrog: provide continuous security & artifact management for enterprises to compare models at runtime and assess costs. 20:05 - Most Underestimated AI Risk? 20:28 - Under-estimate security & rapid adoption of tools- including AI - without sufficient caution 21:33 - Risk: rapid adoption without end-to-end visibility 21:52 - To unlock speed & creativity, security must be a core 22:07 - Wrap-up - most excited about AI x Software? 22:14 - Every decade brings an exciting tectonic shift, we are at the next tipping point 22:39 - Embrace change boldly —backed by sound security at each step. ----- Recorded at SICW/ Govware, 22nd Oct 2025, 3pm. ----- Sunny Rao (SVP, Asia Pacific at JFrog) brings almost three decades of business management experience in information technology and enterprise software. Sunny has vast experience and deep expertise in the global expansion of emerging technologies and is passionate about helping customers and partners enhance, secure, and accelerate their entire software supply chain with JFrog. ----- Buymeacoffee https://buymeacoffee.com/misscyberpenny --- Stay with us: LinkedIn ➡️ https://www.linkedin.com/in/lojane/ YouTube ➡️ https://cutt.ly/U2B0yVi #misscyberpenny #cybersecurity #ai