The "No lieutenant, your men are already dead" defense. I like it.

I think that if your threat model includes nation states (and the companies I was referencing above was largely S&P500 financial institutions) then you have to think the attacker also doesn’t want to trip off any alarms with a ham fisted port scan blasting the precious zeroday exploit all over the internet. Your point is still extremely valid though.

Which is why the counter I provided is that the best defense is to get as many engineers’ eyes on the problem and in the codebase as possible to prevent or find it before it becomes an issue. Things like lib XZ are scary, but it’s even scarier if not caught before it’s in the wild.

The dirty secret is that nation states can get your software dependency list pretty easily in a number of ways (e.g. sending agents to meetups to nerd out & make friends would be an expensive way but there’s other social engineering attacks I’ve observed).

The other secret is that monitoring software can’t detect anomalies ahead of time & the vulnerability scan will not show up meaningfully any different than all the other random traffic already happening. Your nation state can hide it’s vulnerability scan amongst all the other vulnerability scanners already running (both legit as a service when you request it against your server & illegitimate actors trying to find a way in). So at best a ham fisted search is unlikely to really tip your hand in a meaningful way unless it requires having penetrated a few layers of your security to begin with.

As for libxz, the scary part is that as an industry we recognize the security challenge of not compensating maintainers and yet we have lackluster responses to fixing it (e.g. Google trying to pay OSS maintainers to harden their security while completely ignoring that a huge problem is that the maintainers can’t devote full time which opens an avenue for malicious actors to overwhelm maintainers & take control socially as happened with libxz).