AI Code Security: How to Balance Speed & Risk in the New Software Era

“Every 10 years, there’s a tectonic shift in how we build software… and we’re at the next tipping point.”

AI is transforming how code is written, tested, and deployed — unlocking incredible speed.

But with that acceleration comes a familiar question: are we managing the risks as fast as we’re innovating?

At the Singapore International Cyber Week (SICW), Sunny Rao (SVP, APAC, JFrog) shares three key shifts reshaping software security posture 👇

🔹 The Shadow AI Threat
🔹 From SBOM to MLBOM
🔹 Speed vs. Visibility

As Sunny concludes, “-you want to see AI and software proliferate at speed, but secure”. The goal isn’t to slow innovation — it’s to embrace speed, securely.
-----
00:49 – Intro - AI turning us all into software builders?
01:25 - Reshaping roles: from tedious coding to creative problem-solving and innovation
01:38 - New challenge: balance creativity with governance, compliance, & risk management
01:55 - AI for Bad Actors: Are Cybercriminals Using AI to Write Malware?
02:08 - AI-enabled software: ammunition to bad actors boost the scale & speed of malicious attacks
02:51 - AI: Teach Non-Coders to Build Software?
03:16 – What is Vibe Coding?
03:27 - AI coding: useful for quick ideation & prototyping
03:40 - For commercial & enterprise production: apply human oversight; evaluate compliance, stability, vulnerabilities
04:09 - Risks: AI Learning & Repeating Old Code Vulnerabilities?
04:45 – “Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack
04:57 – “Top 25 MCP Vulnerabilities reveal how AI Agents can be exploited”
05:11 – “The side effects of using AI for coding” Cybersecurity implications”
05:25 - Attack surface is growing; balance speed, security, & innovation
06:02 - AI Native Risks: Hallucination?
06:33 – “Vibe coding Fiasco: AI Agent Goes Rogue, Deletes Company’s entire database”
07:06 - AI: amplifying existing security weaknesses
07:16 - Build a foundation leverage proven, robust software development practices
07:25 - AI is software; apply existing security, governance, compliance standards
07:44 - Shadow AI: Emerging risks?
07:56 - AI models from the web: pose the same risks as unverified open-source code
09:21 - Another risk: Guarding the Inputs into AI?
09:38 - Integration for tools like GitHub Copilot; real-time vetting of Copilot code suggestions
09:58 - Example checks: vulnerabilities, transitive risks, adherence to compliance policies
10:10 - Real-time checks: ensure that security is built in, not bolted on
10:45 - Security for Software in the AI era?
11:05 - Reduce production delays: pre-screen open-source code & AI models
11:59 - Next: Continuous scanning for tradition & AI software to include e.g transitive risks.
12:36 - Multiple collaborative AI agents: amplifies existing risks mandating end-to-end security, compliance, auditability, control.
12:58 - What is AI Bill of Materials?
13:14 - Machine Learning Bill of Materials (MLBOM): Extending the existing "Software Bill of Materials" (SBOM)
13:35 - Gain visibility into AIs: training data, provenance, compliance, bias, security risks
14:31 - MLBOM gives transparency: models, data sources, licenses, compliance standards
15:23 - What does AI Governance entail?
15:46 - Challenge: evidence collection of the complex, end-to-end software development lifecycle
16:05 - AppTrust: integrates with partners (e.g. GitHub)to collect & centralize audit evidence (e.g. BOMs, approvals)
17:06 - Secure by Design: The Essential First Actions?
18:03 - First: Work with pre-approved, policy-compliant, low-risk resources “shift left” (gate incoming pieces - software, extensions, AI models)
18:30 - Second: establish policies: safe use of resources & extensions for ideation
18:50 - Third: Apply continuous scanning
19:02 - JFrog: provide continuous security & artifact management for enterprises to compare models at runtime and assess costs.
20:05 - Most Underestimated AI Risk?
20:28 - Under-estimate security & rapid adoption of tools- including AI - without sufficient caution
21:33 - Risk: rapid adoption without end-to-end visibility
21:52 - To unlock speed & creativity, security must be a core
22:07 - Wrap-up - most excited about AI x Software?
22:14 - Every decade brings an exciting tectonic shift, we are at the next tipping point
22:39 - Embrace change boldly —backed by sound security at each step.
-----
Recorded at SICW/ Govware, 22nd Oct 2025, 3pm.
-----
Sunny Rao (SVP, Asia Pacific at JFrog) brings almost three decades of business management experience in information technology and enterprise software. Sunny has vast experience and deep expertise in the global expansion of emerging technologies and is passionate about helping customers and partners enhance, secure, and accelerate their entire software supply chain with JFrog.
-----
Buymeacoffee
https://buymeacoffee.com/misscyberpenny
---
Stay with us:
LinkedIn ➡️   / lojane  
YouTube ➡️ https://cutt.ly/U2B0yVi

#misscyberpenny
#cybersecurity
#ai