The Log4j vulnerability in December 2021 spotlighted the software supply chain as a massively neglected security surface area. It revealed just how interconnected our software artifacts are, and how our systems are only as secure as their weakest links. It also reinforced the idea that we may think security is something we can buy, but really it’s about how we function as development teams.
Ever since, we’ve been sprinting to improve.
Perhaps most notably, the Sigstore project, which Google open sourced, became the de facto signature method for software artifacts, adopted by all of the major language ecosystems, including Java, Python, Node, Ruby, and more.
