Projecting the next decade of software supply chain security
With the rapid pace of innovation accelerating under a new administration, discussions over whether software security will be sidelined in favor of speed are heating up. However, security leaders have long been saying that security protocols shouldn’t slow down development plans — and they don’t when done correctly. This perception must be adopted more widely so that innovation and security can happen in tandem.
Preventing thieves from entering your home in the first place
Currently, the software industry stands at a crossroads. The past few years have seen devastating supply chain attacks — from the SolarWinds attack to the Log4Shell vulnerability — that have shaken our confidence in the fundamental security of our digital infrastructure. They took trusted tools and turned them into threats, and most of the industry was powerless.
It’s akin to a burglar breaking into your home and even though you can see them raiding your personal belongings on your security camera, you can’t do anything about it until after the fact. What good are those cameras if they only record the theft, or scanners if they only catch threats already in your environment? What if you could prevent thieves from entering your home in the first place, and remove threats to your organization altogether?
Shifting what it means to be secure and innovative
Looking ahead to 2035, we envision a radically different landscape. Instead of development teams struggling with basic questions like “what’s actually in our software?” and “can we trust these dependencies?”, we see a future where development environments verifying the integrity of dependencies is as automatic as syntax highlighting is today. Where every container image is built directly from source and carries cryptographic proof of its build process and composition — and every vulnerability is patched. In this world, security is built in, and enables innovation.
The building blocks of this transformation are already emerging. New standards for supply chain integrity are taking shape, pushed forward by executive orders and industry initiatives. Sigstore, for example, is demonstrating how we can make code signing ubiquitous and accessible.
This isn’t just about better tools — it’s about fundamentally shifting how we think about security and productivity. The perception that security controls necessarily slow down development needs to be challenged. When thoughtfully designed and seamlessly integrated, security controls can actually accelerate development by eliminating entire categories of risks and the incidents they cause.
Building a world where every line of code is secure by default
Getting to this future requires solving significant challenges and collaboration across the entire software ecosystem — from individual developers to the largest enterprises, from open-source maintainers to cloud providers. By making security an inherent part of our development tools and processes rather than an optional layer, we can build a world where every line of code is secure by default, and trust is established through verification rather than assumption.
That’s essential not to just businesses, but to our society. As software increasingly powers critical infrastructure, medical devices, and financial systems, the security of our supply chain becomes inseparable from our collective security.
This isn’t just an aspirational future — it’s an imperative one. The organizations that will thrive in 2035 will be those that recognized this reality in 2025 and began adapting accordingly.
Dan Lorenc is the co-founder and CEO of Chainguard.
