Security is one of the few things that will survive the budget axe should the world plunge into recession, but it’s increasingly clear that we can’t simply spend our way to a secure future. Indeed, SLSA (Supply-chain Levels for Software Artifacts), Tekton, and other solutions can secure open source supply chains, but the reality is we still mostly rely on developers to do better and “be vigilant,” as Modal Labs founder Erik Bernhardsson points out. Unsurprisingly, this non-strategy keeps failing.