Scalably Securing Third-party Dependencies in Large Codebases
Ziyad Edher, Chris Norman
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Supply chain attacks are now the most effective way to compromise highly secured environments, because everything else has gotten harder. Ziyad Edher and Chris Norman from Anthropic's security team explain why standard supply chain approaches like SLSA fall short for heterogeneous, research-driven infrastructure — and describe Dependent, the admission control system they built to govern third-party packages across Anthropic's AI training and inference clusters, without bringing the research environment to a halt. ---
AI review
Anthropic security engineers describing the real operational problem of supply chain governance in a heterogeneous AI research environment — and the custom admission control system they built because SLSA doesn't solve content, only provenance. The LibXZ backdoor framing and the 'buy the wall factory' economics are well-argued. The Dependent system is immature but the architectural reasoning behind it is sound.