How Software Supply Chain Risk Became Everyone's Problem

The threat isn't coming from outside your perimeter. It's already inside, embedded in the open source libraries your engineers pulled in last quarter, the routers running on your network, the security tooling sitting in your CI/CD pipeline. In this episode of Eventual Consistency, host James Winegar is joined by Jamil Bou Khair, founder and CEO of Firezone, and Brian Manifold, senior full stack engineer at Firezone, to unpack what software supply chain security actually looks like in practice and why most enterprises are still building their defenses for a threat model that no longer reflects reality. The conversation is grounded in a real incident: the March 2026 Trivy vulnerability, in which attackers exploited a misconfiguration in Aqua Security's GitHub Actions environment, extracted a privileged access token, and used it to publish a malicious binary that was live in distribution channels for nearly three hours.  They also discuss the hardware dimension of supply chain risk, with the US government's ban on foreign-made routers, and the reality that manufacturing on US soil doesn't solve the chip provenance problem.  They dig into the tension between moving fast and maintaining operational security, drawing on Jamil's experience scaling Firezone from a startup with three engineers to a team with GitHub Enterprise security policies enforced at the repo level. The episode closes with the practical architecture of defensibility: why blast radius reduction and zero trust segmentation matter more than perimeter security in an AI-accelerated threat environment, how Firezone approaches dependency management including cooldown periods and IP allow listing across SaaS platforms, and why the industry may be approaching a moment where writing your own dependencies rather than pulling in shared libraries, becomes a legitimate security strategy. About the Host James Winegar is a data consultant who has spent years in the trenches helping enterprise organizations actually implement the technologies that vendors promise will revolutionize their business. He specializes in data infrastructure, real-time systems, and the practical realities of what works when the proof of concept becomes production. His approach is skeptical, pragmatic, and focused on the economics of technology decisions, a lens he brings to bear throughout this episode on the real costs of getting MCP wrong and what it actually takes to make AI agents useful in a production enterprise environment. About the Guests Jamil Bou Khair is the Founder and CEO of Firezone, a zero trust network access platform. Jamil brings a founder's perspective on the operational security trade-offs that real engineering teams face when moving fast in a threat environment that is moving faster. Connect with Jamil on LinkedIn: https://www.linkedin.com/in/jamilbk/ Brian Manifold is a Senior Full Stack Engineer at Firezone. Brian works across the stack on security architecture and has direct experience with the dependency management, access control, and incident response challenges discussed in this episode. Connect with Brian on LinkedIn: https://www.linkedin.com/in/brian-manifold-536a0a3a/ Connect with us:  Sponsor: https://www.corrdyn.com/ a data consultancyConnect with James Winegar on LinkedIn: https://www.linkedin.com/in/james-winegar/