Securing the software supply chain became a hot topic after the Solarwinds incident in 2020, and then the Log4Shell disclosure in 2021 made the pain actually tangible to nearly everyone in software development as organizations around the world scrambled to find log4j in their environments.

The xz backdoor discovery in March of 2024 raised the stakes again. A sleeper actor, working for years inside a critical open source project has been a nightmare scenario long theorized about, suddenly made real.

We are struggling to understand why supply chain attacks are accelerating and what can be done about them. We're saddled with vulnerability management tools from the last century that aren’t up to the task. We’ve seen NVD suffer multiple failures this year as a system designed for the 20th century is crushed under the weight of 21st century realities. Proposed next-gen solutions are often single-use reactions that don’t scale and don’t help against the next attacker or are (in many cases) just completely useless security theater.

In this session, we’ll explore why these attacks are suddenly thriving. There’s a lot of bad news: more open source projects are being targeted, and some of these attacks may be unsolvable. We’ll look at xz in particular, how this scenario differed from what the experts expected a insider open source attack to look like, and what that means for defenders. We can learn from our past experience and make the recovery quicker, easier, and less painful.