Eric Gallagher | SecuringTheBackbone.com
@ericgallagher.bsky.social
💪 Author of "Securing the Backbone" newsletter | Challenging the status quo in software supply chain security | 🏃Trying to make running a habit | 🎾Tennis and ♠️poker nerd | WV
👉 Get the full report from ActiveState to see the complete findings and benchmarks.
www.activestate.com/resources/20...
www.activestate.com/resources/20...
2025 State of Vulnerability Management and Remediation Report
Download the State of Vulnerability Management & Remediation report for insights on DevSecOps challenges and strategies to overcome them.
www.activestate.com
January 6, 2026 at 2:06 PM
👉 Get the full report from ActiveState to see the complete findings and benchmarks.
www.activestate.com/resources/20...
www.activestate.com/resources/20...
If container security and compliance are part of your 2026 priorities, the full 2026 State of Vulnerability Management & Remediation Report: Container Security Edition breaks down exactly where organizations are falling behind, and what’s replacing broken approaches.
January 6, 2026 at 2:06 PM
If container security and compliance are part of your 2026 priorities, the full 2026 State of Vulnerability Management & Remediation Report: Container Security Edition breaks down exactly where organizations are falling behind, and what’s replacing broken approaches.
The real failure point is remediation:
❌ Outdated base images
❌ Inherited CVEs
❌ Manual fixes that can’t keep up with ephemeral containers
The report shows that container adoption has outpaced security maturity, turning audits into a recurring risk event instead of a checkpoint.
❌ Outdated base images
❌ Inherited CVEs
❌ Manual fixes that can’t keep up with ephemeral containers
The report shows that container adoption has outpaced security maturity, turning audits into a recurring risk event instead of a checkpoint.
January 6, 2026 at 2:06 PM
The real failure point is remediation:
❌ Outdated base images
❌ Inherited CVEs
❌ Manual fixes that can’t keep up with ephemeral containers
The report shows that container adoption has outpaced security maturity, turning audits into a recurring risk event instead of a checkpoint.
❌ Outdated base images
❌ Inherited CVEs
❌ Manual fixes that can’t keep up with ephemeral containers
The report shows that container adoption has outpaced security maturity, turning audits into a recurring risk event instead of a checkpoint.
When compromise propagates inside the ecosystem itself, there is no clear breach moment and often nothing to “patch.”
This shift is explored further in a recent STB Executive Brief written for executive leadership. Reach out if you want a copy.
This shift is explored further in a recent STB Executive Brief written for executive leadership. Reach out if you want a copy.
January 5, 2026 at 2:26 PM
When compromise propagates inside the ecosystem itself, there is no clear breach moment and often nothing to “patch.”
This shift is explored further in a recent STB Executive Brief written for executive leadership. Reach out if you want a copy.
This shift is explored further in a recent STB Executive Brief written for executive leadership. Reach out if you want a copy.
I don’t know you, just found your feed, but don’t stop. Decline or not, you’re running, and that’s a win. “The best run is the run you CAN do now”
January 1, 2026 at 2:04 PM
I don’t know you, just found your feed, but don’t stop. Decline or not, you’re running, and that’s a win. “The best run is the run you CAN do now”
Solutions like @ActiveState focus on preventing untrusted code from entering the pipeline in the first place, not just reacting after the fact.
Because when software can infect software, “just patch it” stops being a strategy.
It becomes a liability.
Because when software can infect software, “just patch it” stops being a strategy.
It becomes a liability.
December 31, 2025 at 2:11 PM
Solutions like @ActiveState focus on preventing untrusted code from entering the pipeline in the first place, not just reacting after the fact.
Because when software can infect software, “just patch it” stops being a strategy.
It becomes a liability.
Because when software can infect software, “just patch it” stops being a strategy.
It becomes a liability.
The real fix is control:
✔️ controlling which open-source packages enter the organization
✔️ controlling how builds are composed
✔️ controlling who can publish, pull, and promote artifacts
This is where curated catalogs, immutable builds, and hardened base images matter.
✔️ controlling which open-source packages enter the organization
✔️ controlling how builds are composed
✔️ controlling who can publish, pull, and promote artifacts
This is where curated catalogs, immutable builds, and hardened base images matter.
December 31, 2025 at 2:11 PM
The real fix is control:
✔️ controlling which open-source packages enter the organization
✔️ controlling how builds are composed
✔️ controlling who can publish, pull, and promote artifacts
This is where curated catalogs, immutable builds, and hardened base images matter.
✔️ controlling which open-source packages enter the organization
✔️ controlling how builds are composed
✔️ controlling who can publish, pull, and promote artifacts
This is where curated catalogs, immutable builds, and hardened base images matter.
This new class of supply-chain attack spreads inside trusted developer workflows:
• no zero-days
• no obvious malware
• no CVEs to patch
Just automation + trust + public dependencies.
That’s why detection alone won’t stop it.
• no zero-days
• no obvious malware
• no CVEs to patch
Just automation + trust + public dependencies.
That’s why detection alone won’t stop it.
December 31, 2025 at 2:11 PM
This new class of supply-chain attack spreads inside trusted developer workflows:
• no zero-days
• no obvious malware
• no CVEs to patch
Just automation + trust + public dependencies.
That’s why detection alone won’t stop it.
• no zero-days
• no obvious malware
• no CVEs to patch
Just automation + trust + public dependencies.
That’s why detection alone won’t stop it.
If you're in those boardroom conversations talking about CVE's, I expand on this further in this month's STB Executive Brief.
December 30, 2025 at 1:24 AM
If you're in those boardroom conversations talking about CVE's, I expand on this further in this month's STB Executive Brief.
As scanning improves, numbers rise, remediation effort compounds, and leadership confidence can move in the wrong direction.
That gap rarely makes it into board conversations.
That gap rarely makes it into board conversations.
December 30, 2025 at 1:24 AM
As scanning improves, numbers rise, remediation effort compounds, and leadership confidence can move in the wrong direction.
That gap rarely makes it into board conversations.
That gap rarely makes it into board conversations.