Turning Off the Tap: Andrew Haschka on AI, Vulnerabilities and the Software Supply Chain | GitLab

In this episode of Cyber Voices, the official podcast of AISA, host David Savva-Willett is joined by Andrew Haschka, Field CTO for Asia Pacific and Japan at GitLab, for a candid look at the question almost every enterprise is wrestling with right now: how do we let developers move faster with AI without flooding production with vulnerabilities we cannot keep up with? With more than two decades across cyber security, cloud and digital transformation, and prior leadership roles at Google and VMware, Andrew advises organisations and governments across the region on delivering software securely and at speed.At the heart of the conversation is what Andrew calls the AI paradox. AI can make writing code dramatically faster, yet the flow on effects in testing, security validation, compliance and release often slow teams down, because the volume of code rises while the team stays the same size. Much of that AI generated code is drawn from the internet, where not everything is secure by design, so vulnerabilities can increase exponentially. Andrew and David explore the memorable goal of one CISO to turn off the tap of vulnerabilities running in production, and why prevention beats endless triage.From there the discussion moves to the consumerisation of AI and the sprawl of unmanaged tools, the importance of a traceable system of record that evolves into a knowledge graph, and the defender's advantage in the arms race between teams shipping AI assisted code and attackers using AI to find weaknesses. Andrew makes the case that a defender whose AI understands the specific code base, threat model and compliance posture will spot what a generic attacker AI misses.Andrew also unpacks what secure software supply chains look like in an AI assisted world, from integrity and attestation to provenance and traceability, and shares practical guidance for any security leader being asked to enable AI for their development teams. His advice centres on building intelligent orchestration across three layers: a unified data layer and system of record, strong control and access with purpose built agents, and a governed experience delivered through an AI gateway rather than uncontrolled sprawl, all with humans firmly in the loop. It is a practical and forward looking conversation for any CISO, engineering leader or developer trying to capture the benefits of AI without inheriting a new generation of risk.