Log4j was the bucket of cold water that woke up most developers to their software supply chain security problem.
We’ve spent decades in software building things and obsessing over our production environment. But we’re building on unpatched Jenkins boxes sitting under someone’s desk. We spend all this time protecting our runtimes, then deploy to them using amateur tooling.
Our build environments aren’t nearly as secure as our production environments.