When the foundations of our digital world are built on billions of lines of open-source code, are we doing enough to protect them? And what happens when the very mechanism of compliance becomes a loophole?
Our CEO, Björn, recently sat down with security expert Charlie Eriksen, a Security Researcher at Aikido Security and Founder of JSWZL, on the latest "Hack & Tell" podcast. Their chat began with a trip through Charlie's career, from working security in the gaming world to spotting and breaking down the next huge supply chain worm. They then moved on to discuss security and trust in the world of open source software and the supply chain.
Keep reading for a glimpse into their discussion. Or watch or listen to the full podcast episode, if you prefer.
Charlie's path into the modern security frontier began in an intense environment: gaming. While at CCP Games in Iceland, his responsibilities spanned far beyond typical IT security.
This intensely fast-paced world, where threats were constant and the stakes involved real-world money and geopolitical concerns, laid the foundation for his next moves into offensive security at Syndis and later co-founding the hands-on security training company, Adversary (later acquired by Secure Code Warrior).
After leaving Syndis, Charlie was instrumental in founding Adversary, which grew out of a crucial question posed after a major security incident: How do we prevent this from happening again?
Charlie’s answer was unconventional: training, but make it hands-on.
This philosophy reflects a core belief that still drives him today: for you to be able to build things really well, you also need to be able to break them. This principle defines the current work Charlie does at Aikido Security, where his focus has shifted from finding flaws in proprietary systems to identifying malicious code in the building blocks of the modern internet.
Charlie’s current role as a Security Researcher focuses heavily on malware research, particularly within the open-source supply chain. While it shares the "curiosity" of vulnerability research, the objective is different.
The sheer volume of new code makes automation critical. He states that Aikido analyzes 50,000 packages a day, filtering the vast majority. However, Charlie stresses that human expertise remains vital for triaging hundreds of flagged packages and refining the automated rules.
The discussion quickly moved on to recent, high-impact incidents that prove the urgency of Charlie’s work, most notably the 2023 compromises within the Node Package Manager (NPM) ecosystem.
These events highlight the fragile balance between trust in open-source ecosystems and the potential for widespread vulnerabilities. The threat model has changed: attackers aren't just targeting the production server. They are targeting the developer’s machine to steal credentials and inject malicious code into the supply chain.
Perhaps the most challenging concept raised in the discussion was "trust-washing" in open-source software, which reveals a critical flaw in how we approach security and compliance today.
But first…
Charlie points out that open-source components are often ignored during detailed security scrutiny applied to in-house code during compliance audits.
Since the foundation of virtually every application is built on code the company doesn't own, code with no ability to look into the security practices of its maintainer, auditors are forced to ignore it. This creates a dangerous paradox:
Charlie argues that this challenge is not just an internal problem for companies, but a systemic failure of the ecosystem itself to self-regulate.
Given the shifting threat landscape, the rise of AI-assisted development, and the fragility of the supply chain, the discussion concluded with advice for business leaders on navigating this new reality.
Cybersecurity is not a project. It is a continuous, evolving process, and a permanent line item on the profit and loss statement.
Business leaders must move past the idea of achieving a "terminal state" of security. Instead, they must foster a culture of continuous improvement, risk-minimization, and rapid response.
While awareness training is important, it is not the sole solution. With AI accelerating development, real-time feedback and guardrails are essential.
Ultimately, Charlie believes that even the most senior, technical employees need a dose of self-awareness.
In a world driven by instant gratification and the pressure to ship fast, the best advice for security is to slow down and hold ourselves accountable for the code we produce. Good things take time. In security, skipping the final 20% of effort is what leads to catastrophic breaches.
Concluding the conversation on the future of security, Charlie emphasized the need for adaptability and the belief that offense is the best defense.
The investment in security research and defense is paramount, and every company must recognize it is a new "border" subject to attack. Securing the future means questioning existing norms, balancing the speed of innovation with caution, and fostering a culture where security is fundamentally interwoven with development and management—a lesson that is being written in blood across the digital world.
This article is based on a podcast episode with Charlie Eriksen from the "Hack and Tell" podcast series.
Watch the full episode on YouTube:
Or listen on Spotify.