Open-source components underpin the majority of modern software, and the software supply chain has become one of the most exploited attack surfaces in the industry. Incidents like Log4j and XZ Utils demonstrated how a single compromised dependency can cascade through global production environments overnight, while the Cyber Resilience Act now mandates that manufacturers know exactly what is in their software, secure it by default and report critical vulnerabilities from September 2026.

The reality for most development teams is a constant tension between shipping software and fixing vulnerabilities, with security teams unable to pause production even when critical CVEs are present.

In this session, led by Denis Maligin of Chainguard, you will learn:

• Why transitive dependencies in open-source ecosystems create hidden, hard-to-audit risk;
• How software bills of materials and zero-CVE container images address CRA compliance requirements;
• What malware-free library ecosystems mean for supply chain attack resistance in production environments.