DiscoverCloud Security Podcast by GoogleEP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security
EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

Update: 2026-04-06
Share

Description

Guest:

Topics:

  • We just saw a security tool (Trivy) get used to pop an AI infrastructure tool (LiteLLM) to eventually pop end users. Have we reached the point where our security tooling is actually our largest unmanaged attack surface? 
  • Why now? Software supply chain security had the perennial vibe of "not top concern" for most organizations, right?
  • TeamPCP pushed malicious code to existing GitHub tags. We've been screaming about pinning versions to SHAs for years, but clearly, nobody is listening. Is it time to admit that 'convenience' is the primary enemy of supply chain security?
  • The Axios incident showed a victim compromised in under two minutes. In a world of auto-updating dependencies, is the concept of a human-in-the-loop for software updates officially dead, or do we need to look very hard at version pinning and such?
  • With XZ Utils case, we saw a long-game social engineering attack. Beyond just 'watching npm closely,' what are the realistic architectural safeguards for an org that knows they can't audit every line of an update?
  • We've spent the last three years talking about SBOMs (Software Bill of Materials) like they were a pill for supply chain health. But if the scanner producing the SBOM is the one that's compromised, isn't the SBOM just a signed receipt for your own house being on fire? 
  • What is the one practical thing they can do to ensure their CI/CD isn't a credential-exfiltration-as-a-service platform?

Resources:

Comments 
In Channel
EP276 AI Governance vs. The Hyper-Velocity Agentic Future: A Lawyer's Take

EP276 AI Governance vs. The Hyper-Velocity Agentic Future: A Lawyer's Take

2026-05-1136:00

EP275 Google Cloud Next 2026: The AI Earthquake, "SOC-home" Syndrome, and the Ragged Edge of Reality

EP275 Google Cloud Next 2026: The AI Earthquake, "SOC-home" Syndrome, and the Ragged Edge of Reality

2026-05-0420:23

EP274 AI, Zero Trust and Secure by Design Walk into a Bar...

EP274 AI, Zero Trust and Secure by Design Walk into a Bar...

2026-04-2729:37

EP273 From CISA to Cloud: AI Assurance, Concentration Risk, and the New Regulatory Frontier

EP273 From CISA to Cloud: AI Assurance, Concentration Risk, and the New Regulatory Frontier

2026-04-2029:28

EP272 More Than Just Packets: Is NDR a "First-Class" Cloud Security Control?

EP272 More Than Just Packets: Is NDR a "First-Class" Cloud Security Control?

2026-04-1334:11

EP271 Can AI-Native MDR Actually Fix Your Broken SOC Workflows or Just Automate the Mess?

EP271 Can AI-Native MDR Actually Fix Your Broken SOC Workflows or Just Automate the Mess?

2026-04-0927:29

EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

2026-04-0627:23

EP269 Reflections on RSA 2026 - Beyond AI AI AI AI AI AI AI

EP269 Reflections on RSA 2026 - Beyond AI AI AI AI AI AI AI

2026-03-3033:26

EP268 Weaponizing the Administrative Fabric: Cloud Identity and SaaS Compromise in M Trends 2026

EP268 Weaponizing the Administrative Fabric: Cloud Identity and SaaS Compromise in M Trends 2026

2026-03-2333:49

EP267 AI SOC or AI in a SOC? Cutting Through Hype, Pricing Models, and SIEM Detection Efficacy with Raffy Marty

EP267 AI SOC or AI in a SOC? Cutting Through Hype, Pricing Models, and SIEM Detection Efficacy with Raffy Marty

2026-03-1635:36

EP266 Resetting the SOC for Code War: Allie Mellen on Detecting State Actors vs. Doing the Basics

EP266 Resetting the SOC for Code War: Allie Mellen on Detecting State Actors vs. Doing the Basics

2026-03-0933:24

EP265 Beyond Shadow IT: Unsanctioned AI Agents Don't Just Talk, They Act!

EP265 Beyond Shadow IT: Unsanctioned AI Agents Don't Just Talk, They Act!

2026-03-0228:54

EP264 Measuring Your (Agentic) SOC: Two Security Leaders Walk into a Podcast

EP264 Measuring Your (Agentic) SOC: Two Security Leaders Walk into a Podcast

2026-02-2334:17

EP263 SOC Refurbishing: Why New Tools Won't Fix Broken Processes (Even With AI)

EP263 SOC Refurbishing: Why New Tools Won't Fix Broken Processes (Even With AI)

2026-02-1632:34

EP262 Freedom, Responsibility, and the Federated Guardrails: A New Model for Modern Security

EP262 Freedom, Responsibility, and the Federated Guardrails: A New Model for Modern Security

2026-02-0928:57

EP261 No More Aspiration: Scaling a Modern SOC with Real AI Agents

EP261 No More Aspiration: Scaling a Modern SOC with Real AI Agents

2026-02-0228:56

EP260 The Agentic IAM Trainwreck: Why Your Bots Need Better Permissions Than Your Admins

EP260 The Agentic IAM Trainwreck: Why Your Bots Need Better Permissions Than Your Admins

2026-01-2630:13

EP259 Why DeepMind Built a Security LLM Sec-Gemini and How It Beats the Generalists

EP259 Why DeepMind Built a Security LLM Sec-Gemini and How It Beats the Generalists

2026-01-1933:36

EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen

EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen

2026-01-1232:05

EP257 Beyond the 'Kaboom': What Actually Breaks When OT Meets the Cloud?

EP257 Beyond the 'Kaboom': What Actually Breaks When OT Meets the Cloud?

2026-01-0527:22

loading
Google Play
Download from Google Play
Castbox
Download from App Store
usUnited States
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

EP270 The Convenience Tax: Why We Keep Failing at Supply Chain Security

Anton A Chuvakin