AI Makes Security Everyone's Problem—with Tim Olshansky (Fencer)
About the episode
If AI agents are writing your code, how are you making sure it's secure?
In this episode of Futureproof, Prakash Chandran sits down with Tim Olshansky, CTO and co-founder of Fencer, to explore what application security really looks like in a world where AI writes most of the code and open source software underpins everything. Tim shares his journey from engineer—navigating bureaucratic security processes at larger organizations—to building a platform that makes security accessible for companies under 200 employees. Together, they unpack why compliance certifications often create a false sense of security, how the open source supply chain has become a prime target for attackers, and what "trust but verify" means when Claude is opening your pull requests. They also discuss practical steps any builder can take today—from package manager hygiene to cooldown periods—and why hiring for engineering talent has never been harder to figure out.
Topics covered include:
- Security as hygiene, not a project: Why treating security like brushing your teeth—small, consistent habits—prevents catastrophic outcomes, and why most small companies still skip it.
- The open source supply chain is under attack: How threat actors exploit volunteer-maintained libraries like Axios to gain access to thousands of commercial products at once—and why it's only getting worse.
- AI-generated code and the false sense of security: Why LLMs trained on publicly available code don't encode the highest corporate security standards, and why the code itself may not be what gets you hacked.
- Trust but verify in an AI-first workflow: How Tim's team moved to nearly 100% AI-driven development while still requiring human review.
Chapters
00:00
Meet Tim Olshansky
Prakash introduces Tim's background as a CTO and technical co-founder who lived the pain of enterprise security firsthand—and why he and his co-founder set out to build Fencer.
02:10
The Origin Story Behind Fencer
Tim traces his path from struggling with security bureaucracy at larger organizations to co-founding a company that makes security accessible for teams without a dedicated security function.
05:15
Compliance Theater vs. Real Security
A discussion on why SOC 2 certifications are now table stakes but often amount to checkbox exercises—and why companies get certified without actually implementing what they promise.
07:00
Security Hygiene for Small Teams
Tim breaks down the baseline security practices every company under 200 employees should adopt—from vulnerability scanning and penetration testing to identity management—and why it's simpler and cheaper than most people think.
09:00
The Five Pillars of Application Security
A walkthrough of the key areas Fencer covers: code, infrastructure, networks, identity, and monitoring—and why even companies that don't sell software are targets for opportunistic hackers.
11:00
Open Source Supply Chain Risk
Tim explains how attackers exploit open source libraries to gain access to thousands of commercial products, why the volunteer community is increasingly targeted, and how recent high-profile hacks have changed the conversation.
13:30
The Race Between Finding and Fixing
Why the ability to rapidly patch vulnerabilities—not just detect them—is becoming the defining security challenge, and how supply chain attacks accelerate the timeline.
16:30
Practical Supply Chain Defenses
Actionable advice on using package managers with lock files, setting cooldown periods on new dependency versions, and why waiting just two days before adopting a new release can prevent most supply chain attacks.
20:30
AI Code Review and the Trust Problem
How AI agents writing and reviewing code creates a circular trust issue—like asking a junior engineer to evaluate their own work—and why human oversight remains essential.
24:00
Defining What Needs Human Eyes
Tim's framework for deciding which changes can be fully automated and which still require human review—starting with a simple checklist and building toward systematic guardrails.
26:30
LLMs Don't Know Your Best Practices
Why models trained on public code miss the security standards of well-run organizations, and why configuration and platform choices—not just code quality—are where most breaches happen.
29:30
Treat AI Like a Smart but Fallible Employee
Tim argues that shifting your mental model—from trusting AI output implicitly to treating it like an above-average employee who still needs oversight—is the most important mindset change builders can make.
32:00
The Future: Walled Gardens, Identity, and Trust
A look at how security will evolve—from hardened Docker images and verified open source vendors to IETF proposals for agent identity tracking and why cryptographic trust may finally find its moment.
37:00
Fencer's Own AI Journey
Tim shares how his team went from 40% to nearly 100% AI-driven code in a single month, why 25,000 unit tests and strict CI pipelines made the transition possible, and what they still won't automate.
42:00
The Hardest Question: Hiring in an AI World
Why traditional engineering interview signals no longer predict success, what Tim is still trying to figure out about evaluating talent, and why intrinsic motivation and fundamentals matter more than ever.
©2026 Xano. All Rights Reserved.
