The SolarWinds story has been everywhere this month, and rightly. A trusted update from trusted vendor software, signed and shipped through the proper channels, carried a backdoor into a long list of organisations who did everything they were told to do. They patched. That was the attack vector.
What unsettles me is not the sophistication, though it is sophisticated. It is how ordinary the entry point was. We spend enormous effort defending the perimeter and almost none questioning the things that come through the front door with a valid signature on them. An update from your monitoring vendor is about as trusted as software gets. That trust was the whole exploit.
I do not have a tidy answer, and anyone selling you one this week is moving quickly. But it has me looking at my own build pipeline differently: what do I pull in, who can sign it, and would I notice if the artefact changed without the source changing? Most of us, honestly, would not.
A signed binary tells you who built it. It does not tell you what they put in it. That distinction used to feel academic. This week it does not.