Supply Chain Security Summit

This presentation introduces the latest developments of Macaron, Oracle Labs’ open-source project for enhancing software supply chain security, with a particular focus on Python malware detection and securing build processes. As attacks targeting Python packages grow, Macaron provides an effective solution for identifying malicious packages and behaviors, ensuring the integrity of build processes. Many organizations rely on building third-party artifacts from source while building their own applications, and Macaron empowers them to do so by offering detailed insights into the entire build process. We will also compare Macaron with existing solutions and highlight its unique features.

Behnaz Hassanshahi -
Oracle Labs, Principal Researcher, Technical Lead

As the challenges of securing software supply chains grow, adopting robust and automated security practices is more crucial than ever. OpenSSF Scorecard, developed by the Open Source Security Foundation (OpenSSF), provides a reliable framework for assessing the security posture of open-source projects. Complementing this, Ortelius offers an open-source solution for continuous vulnerability tracking and management, seamlessly integrating with tools like OpenSSF Scorecard and OSV.dev.
Jenkins, as a CI/CD powerhouse, adds another critical layer to this ecosystem, making it an ideal platform for advancing continuous vulnerability management. This talk will showcase how integrating Ortelius and OpenSSF Scorecard into Jenkins pipelines enables teams to automate vulnerability scans, monitor security metrics, and address threats with greater efficiency. Attendees will gain practical insights into leveraging these tools together to build a secure, automated, and resilient software delivery lifecycle.

Tracy Ragan - CEO DeployHub, OpenSSF Board Member.

Software Supply Chain Risk is well understood as a major issue in cybersecurity, as ENISA demonstrated in 2021 when they forecast it to be the top threat vector by 2030. However, where does Software Supply Chain Risk sit in the total enterprise risk spectrum?

This talk will arm attendees with the knowledge to properly discuss Software Supply Chain Risk with Chief Risk Officers, CFOs and Board Directors. At the end of the session, cybersecurity practitioners will be able to speak the language of risk management to secure the necessary focus and budget to improve their organization's Software Supply Chain Risk posture.

Jonathan Simkins, CEO @ Kosai

AI agents like GitHub Copilot, Cursor, and Windsurf are transforming software development—automating tasks, shifting PR responsibilities left, and accelerating iteration cycles. AI is no longer just a tool; it’s an integral part of the software supply chain, shaping how code is written, tested, and deployed.

In this session, we’ll demystify AI in modern development, exploring how to leverage AI tools, adapt AppSec for an AI-driven world, and proactively address AI as a supply chain vector—ensuring AI-driven development strengthens security, not weakens it.

We’ll walk through how…
- AI agents impact your software supply chain — from code generation to autonomously complete coding tasks and executing development processes.
-New risks introduced by AI increase pressure on AppSec, including malicious prompt injection, agent jailbrakes, and accelerated exploits.
-AI-powered security scanning & automation—adapt to faster development processes by ditching manual processes and using AI agents to execute security scans during development (SCA, SAST, IaC, etc.) alongside traditional PR/CI/CD scans.
-Governance techniques can help secure AI-assisted development, including security-aware prompt engineering, AI governance in IDEs, and policy enforcement across developer workflows.
-Leveraging AI-driven automation can reduce security debt—how AI can help mitigate risks earlier, decrease the cost of fixing security findings, and drive compliance without slowing down engineering velocity.

Learn how to adapt to ensure AI in software development delivers on its promise of a brighter future– instead of its threat of unforeseen risks.

Speaker
Amit Chita
Head of Posture Management at Mend.io, ex Atom-Security Co-Founder (acq. Mend)

Amit Chita is a seasoned technology leader with over two decades of experience in the software industry, driving innovation across cloud computing, AI, and cybersecurity. As the Co-Founder of Atom Security—acquired by Mend.io in late 2023—he brings a unique blend of expertise in business, venture capital, software engineering, and reverse engineering.

At the very highest levels, the U.S. government has called urgent attention to major security gaps in software supply chains, especially around open-source software dependencies, firmware development, and technologies powering CI/CD pipelines. From executive orders to mandates around security patches and zero-trust network implementation, supply chain security is a front-burner issue for everyone.

In this session, high-powered cybersecurity leaders will examine the challenges facing software supply chains, the value of SBOMs (software bill of materials), navigating open-source software dependencies and dangerous blind spots in modern computing.