Why Secure Open-Source Software Starts at the Source

Chainguard's Dustin Kirkland on Provenance, Automation and Supply Chain Risk Michael Novinson (MichaelNovinson) • December 15, 2025

Open-source software introduces security risks through two distinct vectors: malicious code deliberately inserted into the supply chain and accidental vulnerabilities introduced by human error or AI-generated code. Supply chain attacks exploit the one-to-many nature of software dependencies, where a single compromised library can cascade across thousands of applications and organizations.

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

"Build everything from source," said Dustin Kirkland, senior vice president of engineering at Chainguard. "That ensures that you can rebuild it over time, which ensures that you can patch it and make changes to it over time."

Organizations should combine source-based builds with automation, cryptographic verification and transparent provenance to establish trust at scale, Kirkland said.

In this video interview with Information Security Media Group at AWS re:Invent 2025, Kirkland also ...