Artificial intelligence has generated a lot of buzz around securing enterprise software and operations.

However, a lingering inability to follow best practices and nail the fundamentals still plagues the industry at large, according to Brian Fox (pictured), chief technology officer of Sonatype Inc.

“We have done some studies for years, and I think last year was our eighth year in a row,” he said. “The thing that I’ve been rattling on about since then is that around 96% of the time when organizations are pulling down vulnerable components, there’s already a fix available, which tells me that the problem is on the consumption side. There are a lot of conversations about all the novel edge cases when, as an industry, we’re failing to follow best practices and deal with the fundamentals.”

Fox spoke with theCUBE industry analyst John Furrier at the RSA Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how companies should prioritize their security operations, especially given the complexities AI brings. (* Disclosure below.)

The role of AI in software development: Risks and benefits

People are already employing AI tools, such as ChatGPT, to write code, some of which are mission-critical. It’s important, therefore, to assess the potential implications of that and other AI-related trends filtering through, according to Fox.

“I don’t think the AI aspect of this really affects the dependencies yet,” he said. “When people are choosing to put bad components in [the software stack], it has less to do with the new custom code that they’re creating and more to do with the hygiene of their dependency stack.”

The main security issue is that organizations are still falling victim to vulnerabilities that have already been identified and logged, according to Fox. So, there’s a need to tighten the software supply chain.

“As of last week, 29% of the consumption worldwide of Log4j versions are of the known vulnerable versions,” he said. “Everybody in the industry knows that it was an issue. We’re closing in on 18 months at this point. How is it that a third of organizations are still pulling down these known vulnerabilities 18 months later?”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference:

(* Disclosure: Sonatype Inc. sponsored this segment of theCUBE. Neither Sonatype nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE