Modern software is no longer built from code your team writes alone. It is assembled from open-source packages, containers, SDKs, SaaS integrations, generated code, and third-party services layered across the stack. In many applications, the majority of the code running in production was never authored, reviewed, or maintained by your developers. That means much of your attack surface lives outside your repo.

This session explores why dependency risk has become one of the biggest engineering and security challenges in cloud-native development. Using incidents such as Codecov, Log4Shell, SolarWinds, and the XZ Utils backdoor, we examine how a single compromised component can move silently through CI/CD pipelines, artifact registries, containers, and production environments.

Rather than focusing only on CVE counts, this talk shows developers how supply chain risk actually enters systems: transitive dependencies, over-permissioned packages, abandoned libraries, tampered build pipelines, unsigned artifacts, and blind trust in upstream maintainers. We will break down why traditional vulnerability scanning alone often creates noise without reducing real exposure.

Attendees will learn practical engineering controls that work: Software Bills of Materials (SBOMs), dependency minimization, version pinning, signature verification, provenance attestation, reproducible builds, least-functionality package selection, runtime inventory, and policy gates in CI/CD pipelines. We will also discuss how AI-generated code can introduce risky packages faster if dependency hygiene is weak.

Developers will leave with actionable patterns to reduce blast radius, improve visibility, and build software supply chains that are faster, safer, and easier to trust.