Cloud Security Office Hours Banner

Friday, April 24, 2026 - Meeting Recap

AI's impact on cybersecurity, Microsoft Red Sun zero-day, HSBC password controversy

- AI 'token-maxxing' debate, Bitwarden CLI supply-chain breach, funding open-source maintainers

Quick recap. The Cloud Security Office Hours meeting focused on discussions about AI token usage and supply chain security threats. Participants, including Tyler, Stryker, and Neil, debated the merits and challenges of "token maxing" in AI development, with Tyler sharing examples of high-productivity AI usage at IBM while others discussed the subsidized nature of current AI tokens and future pricing concerns. The conversation then shifted to supply chain compromises, with Neil presenting recent examples including Bitwarden CLI and Node components, leading to a broader discussion about the challenges of securing open-source dependencies and supporting maintainers. Participants explored various solutions including funding models, security scanning tools like Mythos, and the need for better support of open-source project maintainers, with Stryker suggesting direct support for maintainers and Stryker proposing accountability mechanisms similar to Bruce Schneier's recommendations.

2026-04AISupply ChainVulnerabilitiesSBOM
Show 5 discussion topics

Cloud Security Office Hours Introduction

The meeting was an informal Cloud Security Office Hours session where participants introduced themselves and discussed the community's welcoming nature for new members. Cory shared his background working at Wiz and previously at RSA Security, with experience in FedRAMP and SaaS offerings. John introduced himself as a new participant getting started in cybersecurity, particularly interested in red team and blue team activities. Shawn emphasized that the group maintains a supportive environment where questions are encouraged, especially for newcomers who may not be familiar with certain terminology or concepts.

AI Token Usage Discussion

The group discussed token usage in AI tools, particularly Claude. Tyler shared IBM's approach to tracking and managing token usage through financial controls and incentives, while Shawn and Matt expressed skepticism about the concept of "token maxing," noting that most developers don't come close to using their full token allocation. Mischa emphasized the need to understand both low and high token usage patterns to optimize AI adoption across organizations. Tyler shared an extreme example of a principal engineer who used approximately $750,000 in tokens over seven months to build a product that previously took a team of 170 people a year and a half to develop.

Gen AI Adoption Discussion

The group discussed the impact and costs of adopting Gen AI and agentic engineering practices. Milos shared significant productivity gains from using Gen AI, despite current token costs, and emphasized the importance of adopting these practices early. Stryker raised concerns about token pricing and subsidies, while Tyler and others discussed copyright and security implications of AI-generated content. The conversation also touched on the potential for reverse engineering and the importance of enterprise licensing for businesses implementing AI solutions. Milos highlighted the emergence of local models as a cost-effective alternative to cloud-based solutions.

Token Pricing and Supply Chain

The group discussed token pricing and its impact on behavior, with Shawn explaining how higher prices would lead to more local model usage. Tyler shared that Project Bob uses a local harness to evaluate complexity and routes requests accordingly. The conversation then shifted to supply chain compromises, with Neil highlighting recent incidents involving Bitwarden CLI and Checkmarx. Stryker suggested that organizations might start avoiding updates due to supply chain concerns, while Neil warned against overreacting and potentially becoming more vulnerable by delaying updates. The discussion concluded with a brief mention of potential solutions, including the use of cool-down periods and reputation-based controls for supply chain security.

Open Source Security Funding Debate

The group discussed supply chain security challenges, particularly focusing on open source software vulnerabilities. Tyler highlighted the need for automated scanning of upstream components at machine speed using tools like Mythos, suggesting that major companies should collectively sponsor security scanning of critical open source libraries. The discussion explored ways to support open source maintainers, with Stryker proposing providing YubiKeys and threat intelligence to maintainers, while Neil suggested that companies should directly support maintainers rather than funding scanning tools. The group debated whether funding should go toward security tokens or salaries for maintainers, with Neil advocating for $0 funding of tokens and instead supporting companies to contribute directly to open source projects. Josef raised concerns about accountability in the open source model, suggesting that a Red Hat-style model with liability transfer might be necessary for security improvements.

↑ All meeting recaps