Securi-Tay 2026
Every major package registry has foundational security gaps. Meanwhile, the software industry has spent years building sophisticated supply chain security solutions while the basics often remain unaddressed. These aren’t technical problems—they’re systemic incentive problems. Registries balance developer experience against security (often with limited resources), and security controls create immediate friction while breach impacts are diffuse and downstream.
Using data from systematic assessments of major package registries, this talk examines which foundational gaps downstream consumers can actually mitigate and which they simply cannot. For example, you might not be able to verify who built the package, or whether their account was compromised, but you can verify what was built and whether it’s vulnerable. This leads to a realistic (and mildly terrifying) threat model for package consumption: assume that upstream is compromised and design artifact-layer resilience accordingly.
This talk is about concrete strategies for verification, monitoring, and policy enforcement that work despite weak foundations. Some involve tooling, such as provenance verification, cryptographic validation, behavioral analysis, and continuous monitoring. Others are about changing how you consume dependencies, such as version pinning, vetting publishers, establishing allowlists, and making explicit risk decisions about what level of uncertainty you’ll accept. The goal isn’t to pretend you can fix upstream problems, but to build resilient systems that survive when registries fail to provide the security boundaries you need.
27 February 2026