Skip to main content

The CEO Shift: Why Abby Kearns at ActiveState Signals a Turning Point for Enterprise Risk

 


The CEO Shift: Why Abby Kearns at ActiveState Signals a Turning Point for Enterprise Risk

The Software Supply Chain Is Now a Boardroom Problem

Abby Kearns has spent her career at the intersection of open source software and enterprise infrastructure. At Cloud Foundry Foundation, she watched the world's largest organizations bet their digital futures on open source. At Puppet, she saw firsthand how automation was the only viable path to managing infrastructure at scale. Her appointment as CEO of ActiveState isn't a standard leadership transition. It's a signal that the industry is moving from experimental growth to mature governance, and that the software supply chain has finally become a boardroom problem.

The 96% Problem Nobody Is Talking About

Here's a number that should get every CISO's attention: roughly 96% of modern applications contain open source components. That means the vast majority of proprietary software is built on code the organization didn't write and, in many cases, has not fully verified. The industry has been treating open source as a developer convenience for decades. It is now the primary engine of global business, and that changes the risk calculus entirely.

The old model, where developers download pre-compiled binaries from public repositories and trust that everything inside is clean, is no longer defensible. Those binaries are often black boxes. You don't know what compiler was used, what's buried in the dependency tree, or whether the code has been tampered with. For a CISO trying to meet increasingly stringent compliance requirements, that's not a security posture. It's a liability.

AI Is Accelerating the Problem

Just when the open source supply chain was already complex enough, generative AI arrived and turned up the velocity dial. Developers are shipping code faster than ever. LLMs are suggesting, generating, and assembling code that pulls in open source packages at a rate that manual security review simply cannot keep pace with.

This is the new velocity gap: engineering teams are moving at the speed of AI, while security and compliance teams are still working from spreadsheets and manual audits. Every CVE they chase is time not spent on work that actually moves the business forward.

Kearns has seen this pattern before. In the early days of cloud, enterprises were adopting new infrastructure technologies faster than they could manage them safely. The companies that came out ahead weren't the ones that slowed down adoption. They were the ones that built the right systems to govern it without killing developer velocity. That's exactly the problem ActiveState has spent two decades solving, and it's a core reason this appointment makes sense.

Building from Source Changes Everything

The approach at the core of ActiveState is straightforward in concept, but hard to execute at scale: build open source runtimes from the original source code, in a secure and isolated environment, with a full chain of custody. Not pre-compiled binaries from a public repo. Not a best-effort scan after the fact. Built, verified, and traceable from the start.

For a CISO, the practical impact is significant. Organizations can dramatically reduce their vulnerability surface area, eliminate the dependency sprawl that makes audits a nightmare, and meet federal and global software transparency requirements with confidence rather than hope. And critically, they can do all of this without creating a bottleneck that slows engineering teams down.

Why This Matters Now

The conversation about software supply chain security has been building for years, but recent high-profile breaches have moved it from the CISO's agenda to the board's agenda. That shift is permanent. With AI accelerating the ingestion of open source packages across every team and every project, the window for getting ahead of this problem is narrowing.

What ActiveState offers is something the market genuinely needs right now: a way to let developers move fast without the organization flying blind on what's actually inside the software they're shipping. Kearns brings the right combination of open source depth, infrastructure credibility, and enterprise scale experience to lead that charge. The timing is deliberate, and the opportunity is significant.

Labels:

Comments

Post a Comment

Popular posts from this blog

Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet.

  Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet. By Jacqueline Winter, CFO & CISO, ActiveState Every CFO understands that an unmanaged liability is a governance failure. It does not matter whether the liability is in the loan portfolio, the vendor contract stack, or the software supply chain. The principle is identical: if you have assumed exposure you have not priced, quantified, or assigned to an owner, you have a governance gap. And governance gaps do not stay academic. Recent systemic failures have turned this abstraction into a hard reality for a number of organizations. The elementary-data package, downloaded more than 1 million times per month from PyPI, was pushing malicious code to production environments after attackers used a compromised GitHub Actions workflow to access signing keys and publish a credential-harvesting version. The Bitwarden CLI NPM package was compromised in a coordinated campaign designed to sweep credentials ...
Post a Comment
Read more

Due Diligence You Would Never Skip Anywhere Else

The Due Diligence You Would Never Skip Anywhere Else By Jacqueline Winter, CFO & CISO, ActiveState Every CFO who has ever approved a contract, signed off on an M&A transaction, or capital allocation request understands one thing with complete clarity: unreviewed liability is a governance failure. You do not let unvetted instruments into a financial portfolio. You do not close an acquisition without knowing what is on the balance sheet. Due diligence is not optional. It is the minimum condition for defensible decision-making.  Open source software is the largest unmanaged liability on the enterprise technology balance sheet, and in most organizations it does not appear on any ledger the board reviews. April 2026 gave us four incidents that make the cost of that oversight very concrete. What the Board Has Not Been Told OpenAI revoked its macOS app signing certificate after a compromised Axios dependency executed briefly in a GitHub workflow. Two separate attackers poisoned w...
Post a Comment
Read more