<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>Sofia Reis — Blog</title>
    <link>https://sofiaoreis.com/en/blog</link>
    <description>Notes on software security, static analysis, and AI.</description>
    <language>en</language>
    <lastBuildDate>Mon, 22 Jun 2026 18:04:40 GMT</lastBuildDate>
    <item>
      <title>Controls for AI-Assisted Code Risk</title>
      <link>https://sofiaoreis.com/en/blog/controls-for-ai-assisted-code</link>
      <guid isPermaLink="true">https://sofiaoreis.com/en/blog/controls-for-ai-assisted-code</guid>
      <pubDate>Fri, 12 Jun 2026 00:00:00 GMT</pubDate>
      <description>You can&apos;t ban AI coding tools, and you shouldn&apos;t. Practical controls, and quick developer and DevSecOps tips, to treat AI-assisted code as the supply-chain risk vector it is.</description>
    </item>
    <item>
      <title>Why AI-Generated Code Is a CRA Problem</title>
      <link>https://sofiaoreis.com/en/blog/ai-generated-code-and-the-cra</link>
      <guid isPermaLink="true">https://sofiaoreis.com/en/blog/ai-generated-code-and-the-cra</guid>
      <pubDate>Fri, 05 Jun 2026 00:00:00 GMT</pubDate>
      <description>Under the EU Cyber Resilience Act, the manufacturer is liable for the security of every component, including the code and dependencies your AI tools introduce.</description>
    </item>
    <item>
      <title>What Is the CRA, and Why Should You Care?</title>
      <link>https://sofiaoreis.com/en/blog/what-is-the-cra</link>
      <guid isPermaLink="true">https://sofiaoreis.com/en/blog/what-is-the-cra</guid>
      <pubDate>Mon, 25 May 2026 00:00:00 GMT</pubDate>
      <description>A plain-English primer on the EU Cyber Resilience Act: who it covers, the six obligations, the deadlines that actually matter, and why most of it is just good security.</description>
    </item>
    <item>
      <title>Slopsquatting: The Packages Your AI Invents</title>
      <link>https://sofiaoreis.com/en/blog/slopsquatting-hallucinated-packages</link>
      <guid isPermaLink="true">https://sofiaoreis.com/en/blog/slopsquatting-hallucinated-packages</guid>
      <pubDate>Fri, 15 May 2026 00:00:00 GMT</pubDate>
      <description>LLMs don&apos;t just write code, they pick dependencies, and sometimes the packages they recommend don&apos;t exist. Attackers have noticed.</description>
    </item>
    <item>
      <title>Do LLMs Prefer Insecure Code?</title>
      <link>https://sofiaoreis.com/en/blog/do-llms-prefer-insecure-code</link>
      <guid isPermaLink="true">https://sofiaoreis.com/en/blog/do-llms-prefer-insecure-code</guid>
      <pubDate>Sun, 10 May 2026 00:00:00 GMT</pubDate>
      <description>Across security-sensitive tasks, most language models lean toward the insecure implementation by default. Our ICST 2026 research, and the broader industry data on why.</description>
    </item>
    <item>
      <title>Start here</title>
      <link>https://sofiaoreis.com/en/blog/welcome-to-the-blog</link>
      <guid isPermaLink="true">https://sofiaoreis.com/en/blog/welcome-to-the-blog</guid>
      <pubDate>Fri, 01 May 2026 00:00:00 GMT</pubDate>
      <description>Why I started this blog: bits of what I do and see in my research, plus notes on being a researcher, professor, and founder (with some time in big tech during my PhD).</description>
    </item>
  </channel>
</rss>
