Open source powers modern software development and brings a fast‑growing minefield of outdated, vulnerable, and outright malicious packages. From high‑impact vulnerabilities like React2Shell to self‑spreading malware worms like Shai Hulud, the supply‑chain threat landscape is evolving faster than traditional practices can keep up.

In this talk, we will break down the moving parts of open source supply chain security, the cultural and process challenges engineering organisations face as ecosystems evolve and adversaries grow more sophisticated. We’ll explore practical ways of strengthening development workflows with smarter automation, applying guardrails, and developer‑centric practices that keep dependencies secure and up to date - without slowing or disrupting developer flow.

Key takeaways:

What does a "Code Red" pipeline look like, how malicious open-source packages can easily infiltrate a system
How to build security into the entire development pipeline
Mature security is not about slowing developers down, but about creating an invisible safety net

Target audience:

Developers, Architects, Security Engineers, Platform Engineers, and AppSec