Where The Wild Things Are: The State Of Open Source Supply Chain Risk Management In Three Stories
CVE/FIRST VulnCon 2025 · Main Stage
In this insightful talk at VulnCon, "Where The Wild Things Are: The State Of Open Source Supply Chain Risk Management In Three Stories," speaker Maui delves into the critical challenges facing modern software supply chains, particularly the pervasive and often hidden risks associated with open-source dependencies. The presentation highlights that the vast majority of software applications are not proprietary but are built upon a complex ecosystem of open-source components, inherently inheriting their vulnerabilities and risks. Maui argues that current approaches to supply chain security are predominantly reactive, leaving organizations vulnerable to long-latent bugs and overwhelmed by a deluge of non-actionable alerts.
AI review
A competent, well-structured talk on open-source supply chain risk that hits the right problems — reactive SCA tooling, alert fatigue, maintainer friction — and backs them up with real numbers from actual scanning campaigns. The 2,000 PyPI projects / 14,000 dependencies study and the Jenkins comparison give this some teeth, and the VEX automation angle is genuinely useful framing. But the talk stops short of being genuinely novel: proactive static analysis, VEX reachability, and 'be nice to maintainers' are established themes in this space, and the core tool (ICR) is proprietary with claims…