
EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security
From Cloud Security Podcast by Google by Anton Chuvakin
April 6, 2026 · 27 min · Season 1 · Episode 270
About this episode
The episode discusses the challenges of supply chain security and the impact of convenience on security practices.
Guest: Dan Lorenc , Founder / CEO, Chainguard Topics: We just saw a security tool (Trivy) get used to pop an AI infrastructure tool (LiteLLM) to eventually pop end users. Have we reached the point where our security tooling is actually our largest unmanaged attack surface? Why now? Software supply chain security had the perennial vibe of "not top concern" for most organizations, right? TeamPCP pushed malicious code to existing GitHub tags. We've been screaming about pinning versions to SHAs for years, but clearly, nobody is listening. Is it time to admit that 'convenience' is the primary enemy of supply chain security? The Axios incident showed a victim compromised in under two minutes. In a world of auto-updating dependencies, is the concept of a human-in-the-loop for software updates officially dead, or do we need to look very hard at version pinning and such? With XZ Utils case, we saw a long-game social engineering attack. Beyond just 'watching npm closely,' what are the realistic architectural safeguards for an org that knows they can't audit every line of an update? We've spent the last three years talking about SBOMs (Software Bill of Materials) like they were a pill for…
People in this episode
Host: Anton Chuvakin
Guest: Dan Lorenc
Topics covered
- supply chain security
- security tooling
- malicious code
- version pinning
- software updates
- architectural safeguards
- credential exfiltration
Keywords
- supply chain security
- security tooling
- malicious code
- version pinning
- SBOM
- CI/CD
- credential exfiltration
Mentioned in this episode
Organizations: Chainguard, GitHub, Axios
Products: Trivy, LiteLLM, XZ Utils, SBOMs
Places: npm
More episodes of Cloud Security Podcast by Google
- EP275 Google Cloud Next 2026: The AI Earthquake, "SOC-home" Syndrome, and the Ragged Edge of Reality · May 4, 2026 · 20 min
- EP274 AI, Zero Trust and Secure by Design Walk into a Bar... · April 27, 2026 · 30 min
- EP273 From CISA to Cloud: AI Assurance, Concentration Risk, and the New Regulatory Frontier · April 20, 2026 · 29 min
- EP272 More Than Just Packets: Is NDR a "First-Class" Cloud Security Control? · April 13, 2026 · 34 min
- EP271 Can AI-Native MDR Actually Fix Your Broken SOC Workflows or Just Automate the Mess? · April 9, 2026 · 27 min
- EP269 Reflections on RSA 2026 - Beyond AI AI AI AI AI AI AI · March 30, 2026 · 33 min
Explore listener stats, chart rankings, contacts and more on the Cloud Security Podcast by Google podcast page.