The Exploding Supply Chain Threat
The software supply chain has become the soft underbelly of cybersecurity. By 2026, 45% of organizations worldwide will have experienced a software supply chain attack, a massive jump from less than 10% in 2021. This rapid escalation highlights how targeting one weak link—often a third-party tool or open-source component—can compromise thousands of downstream businesses. I had the chance to discuss this critical inflection point with Dan Lawrence, co-founder and CEO of ChainGuard, to explore the need for a new security paradigm focused on integrity, reproducibility, and proactive defense that doesn’t sacrifice developer speed.
The Terrifying Truth of Open Source Dependence
Modern applications are overwhelmingly built on code written by “strangers on the internet.” Lawrence notes that 90% to 98% of a modern application’s lines of code are open source. While open source is a massive accelerator for innovation, its use introduces profound fragility, as it lacks the enterprise guarantees of commercial software.
“When you explain it to people that don’t quite understand how it works, you know, open source is amazing because anyone on the Internet can write it. We’re deploying and running code written by strangers on the Internet. If you spent any time on the Internet, you realize how terrifying that is.”
The core problem is one of structural integrity. The open-source supply chain is held together by “duct tape and rubber bands,” making it an easy target for malware injection, unmaintained projects, and packages that aren’t tied to the source code. For enterprises, this means a “supply chain” that crumbles from the bottom up, forcing a shift beyond simple vulnerability scanning (V-scans) to a verifiable foundation of trust.
The ‘Catch-Up Left’ and Developer Velocity
The rise of public cloud and Infrastructure as Code placed immense power and responsibility into developers’ hands, allowing them to provision and deploy without traditional security gatekeepers. While this accelerated innovation, it left security teams in a state of playing “catch-up left.”
Security has been forced to run left and embed itself directly into development teams and CI/CD pipelines. This integration is essential for modern AppDev, where 24% of organizations aim to release code hourly. To achieve this speed, security cannot be a “no” that appears the day before launch.
Lawrence emphasizes that the goal of companies like ChainGuard is to provide “the ultimate guardrail” with secure, continuously verified components so that engineers can focus on building their code. This approach frees developers from the toil of patching, dependency management, and constant vulnerability triage, allowing AppDev velocity to increase while security is baked in, not bolted on.
AI and Regulatory Pressure
Two major accelerants are increasing the need for supply chain integrity: AI and a new wave of global regulation.
- AI-Generated Code: The mainstreaming of AI has democratized programming, leading to more people, including citizen developers, writing more code faster than ever before. This explosion in code volume can easily overwhelm existing security teams, tooling, and automation, pushing 3x, 5x, or even 10x the volume through systems that weren’t built to handle it. This risk is compounded by the fact that the code is often written by people without professional development backgrounds, necessitating powerful, automated guardrails.
- Regulatory Liability: New global regulations are shifting liability and accountability directly onto software producers.
- The EU’s Cyber Resilience Act (CRA): This regulation, with key compliance deadlines in September 2026 and full enforcement by December 2027, mandates “security by design” for virtually all digital products sold in the EU. Early, severe drafts of the CRA even suggested placing liability on open-source maintainers, creating a “doomsday scenario” for the community.
- NIST’s Secure Software Development Framework (SSDF): In the U.S., the government is using its purchasing power to enforce the SSDF, which mandates secure development practices and flows transitively down to vendors and their supply chains.
The stakes are higher than ever, with executive teams facing the threat of jail time or massive fines for compliance failures. As mentioned in this episode, whether the code was written by an engineer, an open-source maintainer, or an AI model, “You are responsible for what you put out the door.”
The Insufficiency of Forms and Signatures
Given this explosive risk profile, the industry must recognize that simple forms, signatures, and SBOMs are not sufficient in isolation.
- SBOMs are necessary inventory lists, but they will never include a line that says “malware injected here.” They are best for managing known vulnerabilities and keeping software updated.
- Signatures can help trace a malicious package but do not prevent it.
The only way to effectively counter the threat is to build a secure supply chain holistically, encompassing both the first-party code an organization writes and the third-party code it pulls in. For the open-source piece, Lawrence suggests that a trusted source, such as ChainGuard, which continuously rebuilds and verifies open-source components from the source, acts as a fundamental guardrail against the inherent instability of the internet-at-large.
