ExtraMile by SecureITWorld is a leading interview series featuring industry leaders and pioneers. Here, we discuss the prevailing trends, strategies, and practices in the tech, digital, and cybersecurity space.
In today’s exclusive session, Michael Lieberman, the visionary CTO and Co-Founder of Kusari, joined us to share how the company is advancing software supply chain security. Kusari offers a unified, actionable view of software supply chain threats while assisting firms in getting real-time visibility into diverse types of vulnerabilities.
Michael has expertise in engineering and prioritizes transparency alongside security. In the conversations, we’ll explore Michael’s career highlights, his inspirations to establish Kusari, and how AI is boosting software supply chain security. He will further offer insights into the future of supply chain security to guide businesses to adopt a resilient security framework.
Hello, Michael; it’s great to have you with us today!
1. Your expertise and contribution to security technologies are truly remarkable. We would like to learn about your professional journey and your roles in different organizations, including Citi, MUFG, and Bridgewater Associates.
Michael. My career kicked off during the big financial crisis at the end of 2008 and into early 2009. I have worked at places both small and large. My professional journey started at a small managed services consultancy with about a dozen employees. Then I made my way to larger managed services providers focused on DevOps automation and cloud enablement. Eventually, these skills led me to the financial services space working at Bridgewater Associates. My role was to bring my cloud transformation, infra/config as code, and other DevOps skills to a hedge fund. I had always been security-minded, but Bridgewater took it to the next level. I helped build a ton of custom software and cloud architectures to enable the secure development, build, and deployment of critical software. That’s where I first got involved in third-party risk management which eventually became supply chain security. From Bridgewater, I went to MUFG where I was doing very similar work and saw many of the same challenges. Then, I went to Citi where there were again very similar sorts of challenges in adopting cutting edge technologies in a way that was safe, secure, and compliant with regulations.
2. Kusari is doubtlessly leading the software supply chain security space. What inspired the establishment of the firm, and what are your key goals?
Michael. The experience my co-founders and I had at various financial institutions, government contractors, etc. inspired us to create Kusari. We kept seeing the same problem time and again. Large organizations were struggling to adopt the technologies they needed to not only be secure, but allowed them to adapt to the changing industry landscape without a ton of manual effort and red tape. Our key goal for Kusari is to protect our customers from code to deployment. This means securing the software delivery lifecycles of our customers as well as protecting them from external threats via vendor and open source dependencies. And, doing it in a way that makes life easier for both security and development teams.
3. What threats and vulnerability issues generally arise in the software supply chain? Can you share relevant use cases to describe the impact of these vulnerabilities?
Michael. The software supply chain is just all the code or dependencies you pull into your ecosystem as well as extending that to the software you might deliver to your customers. Securing the software supply chain is about securing the software delivery lifecycle. In the cycle from a developer writing code on their workstation through to the built software being published to a release repository, something that can go wrong. In addition, anything you pull in externally is something where its own supply chain could have been compromised or might just have a vulnerability that would impact you by pulling it in. With all that stated though, the majority of issues happen as part of the overall build process. This is where your code and code from your third-party dependencies get pulled in to create compiled, built, and/or packaged software. Once that software has been published to a repository and prepped for deployment, it’s hard to put that cat back in the bag. That’s why it’s critical to secure that level of the supply chain and also track it over time. If you don’t, you might be pulling in software with vulnerabilities that could leak customer data if exploited by an attacker. You might pull in malware because you had a typo and inadvertently used the wrong dependency. You might end up using something that is no longer maintained.
4. Kusari has recently launched Kusari Inspector. Give us an overview of this tool and tell us how it contributes to DevSecOps.
Michael. Kusari Inspector is like having a personal security engineer to help you out. It operates on your source code, performing various security checks and highlighting only the issues that are areas of concern, while eliminating noise and nonsense. It does this by providing background checks on external dependencies, highlighting those that are not well maintained, have open vulnerabilities, etc. It also runs various static analysis scans, checking for bad security practices like including secrets in the code or having a SQL injection vulnerability. It then looks at those issues in the context of your code, eliminating false positives. For example, if you have a secret in your code that is clearly not a real secret, but something used in a test, we filter it out or leave it as a lower priority issue to look at. This leaves just the critical issues that impact the safety and security of your software as those to take immediate action on.
5. What is your opinion on integrating AI into software supply chain security? What are the significant considerations developers should look after in this regard?
Michael. It has to be done with caution. At Kusari, we built a tool we like to say is “empowered” by AI instead of just powered by AI. This is because a lot of tools out there just throw random data and code at an LLM and ask it to provide good results. This approach has led to hallucinations and a confusing experience to the user. Our approach is around doing a lot of heavy lifting in the supply chain security space by using common supply chain security best practices and tools but adding AI as a way to make adoption of those tools simple as well as making the output of those tools more easily accessible to end users. We like to say that you can get a lock installed on your house without needing to be a locksmith yourself.
6. Kusari also enables the Learning Center to impart understanding of software supply chain security. How does it enhance the knowledge of professionals and guide them in adopting robust security practices?
Michael. Most folks care about security, but there’s a constant stream of new tools, best practices, standards, etc. that folks should be aware of and potentially looking at to adopt. We at Kusari have a ton of experience and are involved in the development of many of these tools, best practices, and standards. So we look at the learning center as a way for folks to learn about all the cool new stuff emerging in security and help start to assess and eventually adopt these tools and practices.
7. How do you think open-source security platforms help businesses of all sizes incorporate strong security frameworks? How can third-party risks impact open-source Facilities?
Michael. The majority of code out there relies on open source in some capacity. Estimates are somewhere around 95% of all software relies on open source. Of those projects that do rely on open source, about 75% of the code that includes external dependencies comes from open source. If the majority of software out there is open source, from Linux to Kubernetes, that means you can’t start to secure the software supply chain without securing open source. A critical vulnerability in something like the Linux kernel will lead to potentially billions of dollars of impact, so securing open source is paramount. You secure open source through the use of open source best practices, tools, standards, etc. This also makes it easier for closed source software to scale out its security by adopting these same practices and tools.
8. In your opinion, what does the future of supply chain security hold? Which trends will dominate the industry in the upcoming years?
Michael. AI is the elephant in the room. AI will most likely have a big impact on security, both in terms of needing security for the AI supply chain as well as new tools and services being built that leverage AI to make securing software simpler and more straightforward. The leap many organizations are taking in adopting AI as soon as possible will bite them. I anticipate seeing more organizations getting compromised by malicious or vulnerable AI tools. We’re seeing this today with something called “slopsquatting” which is where AI hallucinates fake external dependencies that attackers then create for real, making it easier for them to distribute malware.
Discover More In-depth Interviews:
