What's in the SOSS? An OpenSSF Podcast Big Thoughts, Open Sources Inaugural Episode: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source
Apr 7, 2026
29:12
In this inaugural episode of Big Thoughts and Open Sources, host Crob sits down with Brian Fox, Co-founder and CTO of Sonatype, to dissect the friction between rapid AI adoption and foundational software security. Brian shares insights from the 11th annual State of the Software Supply Chain Report, revealing the emergence of "slop squatting" and the high frequency of AI models recommending non-existent or vulnerable dependencies. The conversation explores how the Model Context Protocol (MCP) could revolutionize developer compliance and why the industry must fund the critical infrastructure supporting our trillion-dollar open source ecosystem.
Chapters:
- 00:23 – Welcome to the inaugural episode of Big Thoughts, Open Sources.
- 01:01 – Brian shares his journey from 2002 Apache Maven contributor to co-founding Sonatype and joining the OpenSSF board.
- 02:53 – The conversation shifts to the critical role of Maven Central in providing global visibility into the software supply chain.
- 03:26 – Brian reflects on a decade of security trends, noting that the "Log4Shell" pattern of using unpatched libraries has existed for years.
- 05:34 – The "Tribal Knowledge" problem is explored, highlighting how AI agents lack the undocumented context human developers share at lunch.
- 07:06 – Brian reveals findings from the 11th Annual State of the Software Supply Chain Report, including how AI models recommend non-existent code versions 30% of the time.
- 08:09 – The "Slop Squatting" phenomenon is explained, where attackers upload malicious packages to match common AI hallucinations.
- 10:03 – Brian discusses the Model Context Protocol (MCP) as a game-changer for turning security tools into expert systems for AI agents.
- 13:42 – The dialogue warns against ignoring sixty years of software engineering "physics" in the rush to adopt AI-generated code.
- 15:11 – Brian describes the "Vulcan Mind Meld" opportunity of injecting high-quality governance data directly into an AI agent’s decision-making process.
- 17:19 – The experts debate the risks and rewards of our "new robot overlords" and the need for ML SecOps discipline.
- 19:30 – Brian emphasizes that "inefficient code is still inefficient code" and warns against repeating the costly mistakes of early cloud migrations.
- 21:01 – Advice is given on building an "AI-native SDLC" that focuses on providing security information upfront during code creation.
- 24:18 – Brian addresses the sustainability crisis, noting that the cloud infrastructure required for modern, secure open source builds is no longer free.
- 27:17 – The episode concludes by highlighting the eight trillion dollars of economic value produced by open source and the need to fund its core infrastructure.
Episode links:
- Brian Fox LinkedIn page
- Sonatype website
- Maven Central Repository
- The State of the Software Supply Chain Report
- Sonatype Blog
- OpenSSF AI/ML Security Working Group
- Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security
- Get involved with the OpenSSF
- Subscribe to the OpenSSF newsletter
- Follow the OpenSSF on LinkedIn