The code you ship is mostly code you didn't write — that's the attack surface.
Open a minimal Express app in any editor and run a dependency count. Before you've written a single line of business logic, you've already imported 47-plus transitive packages — authors you've never heard of, maintainers you've never vetted, build hooks you've never read. Software supply chain security starts with sitting with that number until it stops feeling abstract. The 80–90% ratio isn't a statistic to memorize; it's a reorientation. AppSec curricula spend almost all their time on the 10–20% you wrote. Attackers have done the math on the rest.
This topic works through the full stack of the problem: why the transitive dependency graph is where risk actually hides, what dependency confusion and typosquatting look like in practice, why running Trivy on every build is a genuinely good idea that still leaves entire attack classes invisible, and what it takes to be able to answer the question practitioners now treat as the real bar — not 'did we scan for CVEs?' but 'where did this artifact come from, and can I prove it wasn't tampered with?' That means getting into SBOMs as maps rather than deliverables, artifact signing with Sigstore and cosign, SLSA provenance levels, and verification at deploy — because signing without a verification gate is theater.
Your CI/CD pipeline has secrets, network egress, and the right to push to production. That makes it production. One of the quieter goals of this topic is making that sentence feel obvious rather than surprising, so that when you're threat-modeling a system, you bring the build runners into the room automatically. The xz-utils story — a two-year social-engineering operation that embedded a backdoor in SSH infrastructure on millions of systems, nearly undetected — is the campfire story this community tells because it illustrates everything: a trusted name, a legitimate-looking update, and an attack surface that no CVE scanner would have caught.
Start exploring Software Supply Chain Security tonight — three topics free, no card.
Start a 30-day free trial