> how fragile software supply chain security is, despite the abundance of tools and available security mechanisms
There seems to be a fundamental trade-off at play. I often see security portrayed as a hindrance, requirements thereof as a drag on productivity. That is in line with a strong trend in developers with a very narrow skill set. The ability to throw framework at the wall and see what sticks pays very well. No one wants a stick in the mud asking why on Earth dependency management is at the state it is, or imposing reasonable security practices. I have been there, I have argued with developers from teams that had been breached before saying "no, this is safe because I can't see how this could be exploited". Security by obscurity so deeply ingrained one takes obscurity from oneself as evidence of safety.
It's worse, if you address these things seriously, like, as another post here addressed last week, about software quality, you get rapidly stopped in your tracks. Like you say and more; 'but everyone does it like this, why would we waste time?' and 'It is safe enough, maybe later we'll revisit'. It is kind of true clients don't pay for it directly, however, indirectly, it can tank a company.
Works well on average, and remember that bad actors are also part of the overall herd. It can be very detrimental to the individual (person or company).
There seems to be a fundamental trade-off at play. I often see security portrayed as a hindrance, requirements thereof as a drag on productivity. That is in line with a strong trend in developers with a very narrow skill set. The ability to throw framework at the wall and see what sticks pays very well. No one wants a stick in the mud asking why on Earth dependency management is at the state it is, or imposing reasonable security practices. I have been there, I have argued with developers from teams that had been breached before saying "no, this is safe because I can't see how this could be exploited". Security by obscurity so deeply ingrained one takes obscurity from oneself as evidence of safety.