Enterprise software has radically changed over the last 20 years, largely due to a massive increase in use of open source libraries, but our application security tools are still designed with outdated assumptions from the 1900s. Enterprise software now faces more risk from supply chain attacks than from “traditional” vulnerabilities, but the tools ignore the risk until it’s too late. There have been loud and clear red flags (Log4Shell, XZ etc) and these events garnered a few thinkpieces, but our AppSec toolbox has remained largely unchanged. These types of supply chain attacks didn’t exist back in the 20th century when the vulnerability management strategy embodied in the CVE and NVD programs and tools like Software Composition Analysis were developed, and they have not evolved to meet the threats.

These attacks are accelerating - we’re seeing compromised packages in npm, python and other ecosystems every day. Meanwhile, the CVE catalog has exploded with more advisories than ever, most of which are not actionable, adding noise and creating alert fatigue for defenders who have been told to “patch faster” and “security harder.” It’s not working. Security teams are struggling with obsolete tools from the last century that aren’t up to the task. The NVD suffered multiple failures in 2024 as a system designed for 20th century software development is crushed under the weight of 21st century realities.

In this session, we’ll explore the trends that got us here, where supply chain attacks are suddenly thriving. There’s a lot of bad news: there are other open source projects that have been infiltrated, and some of these attacks are actually unsolvable. We’ll look at XZ in particular, how this real-world scenario differed from what the experts expected a insider open source attack to look like, and what that means for defenders. We can learn from our past experience, take steps to contain the blast radius, and make the recovery quicker, easier, and less painful.