Supply Chain & Third-Party Risk Summit

They say the world runs on open source, but your business runs on commercial software. From your ERP systems to your messaging platforms, they are all commercial tools. The vendors that publish these commercial tools are increasingly targeted by malicious actors given their breadth of adoption and impact on business-critical processes. Yet according to a recent Gartner survey on Third Party Risk Management, 83% of Cyber risk professionals find risks embedded within vendor applications after deployment. As a result, it is clear that the status quo for defending the enterprise from cyber threats originating in the software supply chain is not sufficient. During this session, Charlie Jones, Director, Product Management at ReversingLabs, will outline key actions that enterprises can take to identify risks and threats before they purchase or deploy, as well as collaborate with their vendors to mitigate exposures. Learning Objectives: 

• Understand what is in the commercial software you buy and why it is risky.
• Learn why traditional security methods (e.g., SBOMs, questionnaires) are insufficient. 
• Discover new technologies for assessing software risks without needing source code. 
• Hear how global banks, high tech, and healthcare companies are leveraging this technology today 
• Uncover best practices for CISOs to manage SSCS threats effectively.

Network appliances such as VPNs, firewalls, load balancers, and routers must be connected to the open internet. They do not support EDR and have deep access to resources inside the perimeter. For these reasons, it’s no surprise that nation-state and criminal groups have increased their targeting of network devices, with devastating results. Unfortunately, the situation is unlikely to get better anytime soon. Join Eclypsium VP of Solution Engineering, Wes Dobry, as he explains the motivations, tactics, and techniques behind these attacks. Topics will include: 

• Understanding why network devices are vulnerable and a prime target for attackers 
• Learn techniques attackers use to compromise and evade detection on network devices 
• Develop hardening and detection strategies for defenders of network devices

Supply chain security risks continue to grow as attackers exploit trusted third-party relationships to infiltrate organizations. Whether through weaponized files from suppliers or unintended data exposure in motion, security teams need proactive measures to stop threats before they spread. In this session, we’ll explore how advanced Content Disarm and Reconstruction (CDR) technology eliminates zero-day malware threats from supply chain files—without relying on detection. Additionally, we’ll discuss how Data Detection and Response (DDR) can prevent the unintentional exposure of sensitive data in motion, ensuring compliance and risk mitigation. Join us to learn how leading security teams are enhancing supply chain security by proactively sanitizing inbound content and controlling sensitive data exposure—without disrupting business operations.

Please visit our sponsors in the Exhibit Hall. View resources and chat with their experts.

This presentation introduces the latest developments of Macaron, Oracle Labs’ open-source project for enhancing software supply chain security, with a particular focus on Python malware detection and securing build processes. As attacks targeting Python packages grow, Macaron provides an effective solution for identifying malicious packages and behaviors, ensuring the integrity of build processes. Many organizations rely on building third-party artifacts from source while building their own applications, and Macaron empowers them to do so by offering detailed insights into the entire build process. We will also compare Macaron with existing solutions and highlight its unique features.

Key Points:

1. Overview of Macaron’s capabilities and features in analyzing build processes and artifact dependencies
2. Implementation of SLSA (Supply Chain Levels for Software Artifacts) requirements through clear, automatically verifiable rules
3. Demonstration of Macaron’s extensible framework, allowing for custom security checks tailored to unique use cases
4. Real-world case studies showcasing Macaron’s effectiveness in detecting vulnerabilities and securing build pipelines
5. Integration of Macaron into CI/CD pipelines for continuous, automated security monitoring

Software Supply Chain Risk is well understood as a major issue in cybersecurity, as ENISA demonstrated in 2021 when they forecast it to be the top threat vector by 2030. However, where does Software Supply Chain Risk sit in the total enterprise risk spectrum?

This talk will arm attendees with the knowledge to properly discuss Software Supply Chain Risk with Chief Risk Officers, CFOs and Board Directors. At the end of the session, cybersecurity practitioners will be able to speak the language of risk management to secure the necessary focus and budget to improve their organization's Software Supply Chain Risk posture.

As the challenges of securing software supply chains grow, adopting robust and automated security practices is more crucial than ever. OpenSSF Scorecard, developed by the Open Source Security Foundation (OpenSSF), provides a reliable framework for assessing the security posture of open-source projects. Complementing this, Ortelius offers an open-source solution for continuous vulnerability tracking and management, seamlessly integrating with tools like OpenSSF Scorecard and OSV.dev.

Jenkins, as a CI/CD powerhouse, adds another critical layer to this ecosystem, making it an ideal platform for advancing continuous vulnerability management. This talk will showcase how integrating Ortelius and OpenSSF Scorecard into Jenkins pipelines enables teams to automate vulnerability scans, monitor security metrics, and address threats with greater efficiency. Attendees will gain practical insights into leveraging these tools together to build a secure, automated, and resilient software delivery lifecycle.

AI agents like GitHub Copilot, Cursor, and Windsurf are transforming software development—automating tasks, shifting PR responsibilities left, and accelerating iteration cycles. AI is no longer just a tool; it’s an integral part of the software supply chain, shaping how code is written, tested, and deployed.

In this session, we’ll demystify AI in modern development, exploring how to leverage AI tools, adapt AppSec for an AI-driven world, and proactively address AI as a supply chain vector—ensuring AI-driven development strengthens security, not weakens it.

We’ll walk through how:

• AI agents impact your software supply chain — from code generation to autonomously complete coding tasks and executing development processes.
• New risks introduced by AI increase pressure on AppSec, including malicious prompt injection, agent jailbrakes, and accelerated exploits.
• AI-powered security scanning & automation—adapt to faster development processes by ditching manual processes and using AI agents to execute security scans during development (SCA, SAST, IaC, etc.) alongside traditional PR/CI/CD scans.
• Governance techniques can help secure AI-assisted development, including security-aware prompt engineering, AI governance in IDEs, and policy enforcement across developer workflows.
• Leveraging AI-driven automation can reduce security debt—how AI can help mitigate risks earlier, decrease the cost of fixing security findings, and drive compliance without slowing down engineering velocity.

Learn how to adapt to ensure AI in software development delivers on its promise of a brighter future– instead of its threat of unforeseen risks.

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. Before you acquire, before you deploy, before any updates—Spectra Assure gives you the visibility you need to manage third-party software risk. Watch to see how Spectra Assure opens the black box of commercial software, providing deep analysis, uncovering hidden malware, and ensuring compliance with evolving security standards. With continuous monitoring, advanced risk insights, and proactive threat detection, Spectra Assure empowers teams to confidently secure the software supply chain at every stage.

The Eclypsium Supply Chain Security Demo will explore how organizations can protect their firmware and hardware supply chain from emerging threats. The session will showcase Eclypsium’s advanced platform, demonstrating how it identifies vulnerabilities, detects malicious firmware implants, and enables automated updates of firmware to mitigates risks across endpoints, servers, and network devices, as well as simplifying compliance with NIST SP 800-53 and other widely used cybersecurity frameworks, standards, and regulations like CJIS

Votiro's Sr. Solution Engineer gives a quick overview of what Votiro is and the problems we solve. He then goes into three different demos to show us in action. Malware prevention and active data masking through email bodies & attachments; the same protections in collaboration tools like Microsoft Teams; and then with a password-protected document in OneDrive. 

We hope your virtual experience at SecurityWeek's 2025 Supply Chain Security & Third-Party Risk Summit has been informative and productive. If you missed any sessions, you may watch them now on-demand in the Auditorium. We would like to take this opportunity to thank our sponsors: ReversingLabs, Eclypsium, and Votiro. Stop by their booths and chat with their experts before you leave!

Software represents the largest under-addressed attack surface in the world, and classic AppSec tools cannot address the full scope of threats impacting the software supply chain. Before you acquire, before you deploy, before any updates—Spectra Assure gives you the visibility you need to manage third-party software risk. Watch to see how Spectra Assure opens the black box of commercial software, providing deep analysis, uncovering hidden malware, and ensuring compliance with evolving security standards. With continuous monitoring, advanced risk insights, and proactive threat detection, Spectra Assure empowers teams to confidently secure the software supply chain at every stage.

The Eclypsium Supply Chain Security Demo will explore how organizations can protect their firmware and hardware supply chain from emerging threats. The session will showcase Eclypsium’s advanced platform, demonstrating how it identifies vulnerabilities, detects malicious firmware implants, and enables automated updates of firmware to mitigates risks across endpoints, servers, and network devices, as well as simplifying compliance with NIST SP 800-53 and other widely used cybersecurity frameworks, standards, and regulations like CJIS

Votiro's Sr. Solution Engineer gives a quick overview of what Votiro is and the problems we solve. He then goes into three different demos to show us in action. Malware prevention and active data masking through email bodies & attachments; the same protections in collaboration tools like Microsoft Teams; and then with a password-protected document in OneDrive.