Loading…
← Back to schedule
Behaviour-Driven Detection for Software Supply Chain Exploitation
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Abstract
Modern software development depends on an intricate ecosystem of open‑source libraries, third‑party services, CI/CD workflows, container registries, package repositories, and cloud‑native infrastructure. As organizations accelerate development velocity, their applications increasingly rely on components they neither wrote nor control. This creates a supply chain environment where the weakest external link becomes the attacker’s easiest entry point. While Application Security (AppSec) teams focus on code reviews, SAST/DAST, SCA results, and secure SDLC controls, many of the most dangerous threats originate outside their visibility. These include malicious dependency updates, compromised package maintainers, poisoned CI/CD pipelines, hijacked SDKs, and third‑party API breaches—risks that traditional AppSec tooling isn’t designed to detect.
At the same time, Cyber defence teams track adversary activity, ecosystem‑level manipulation, suspicious code commits, dark‑web chatter, targeted campaigns against popular libraries, and exploitation of software supply chain dependencies. They see indicators and emerging threats far earlier than any automated scanner—but this intelligence rarely makes its way into AppSec decision‑making. As a result, AppSec teams continue to approve dependencies with no CVEs, unaware that the maintainer was compromised; security testing pipelines approve builds even though TI has already flagged one of the upstream components; and organizations ship production code containing malicious logic that no scanner will ever detect because the code behaves "as designed"—just not by your design.
This talk presents a unified model for bridging these gaps—delivering a strategic approach through supply chain defence. Attendees will learn how real‑world supply chain attacks unfold, why they bypass traditional AppSec controls, and how integrating cyber defence changes the defender’s perspective. We break down practical detection methods for ecosystem‑level anomalies, maintainer compromise signals, malicious package patterns, CI/CD infiltration attempts, and signs of upstream component manipulation. Through real attack examples and defensive case studies, we show how organizations can fuse AppSec findings (SCA results, dependency mapping, SBOM data) with cyber defence to build an adaptive, intelligence‑driven supply chain protection strategy.
Key Takeaways
  • Why AppSec alone cannot detect supply chain compromise — and the specific blind spots hidden inside package ecosystems, CI/CD pipelines, and third‑party integrations.
  • A practical integration model where AppSec and Cyber defence team jointly monitor, validate, and block risky dependencies or services before they reach production.
  • Field-tested workflows for real-time supply chain monitoring using SBOM enrichment, threat feeds, dependency risk correlation, and behaviour-based anomaly detection.
  • A blueprint for building an enterprise supply chain defence program that continuously adapts to attacker evolution, ecosystem shifts, and vendor risks.
Why This Talk Is Important
Supply chain attacks are now a preferred strategy for both state-sponsored and financially motivated threat actors. They exploit trust relationships between developers, automation systems, and ecosystem maintainers—areas where AppSec with cyber defence team lacks visibility with limited operational influence. This session provides a practical, actionable roadmap for bringing both teams together to defend the modern software supply chain—before adversaries weaponize it.
Speakers
avatar for Niladri Sekhar Hore

Niladri Sekhar Hore

Lead Engineer - Threat Detection and Automation, StoneX Group
Niladri Sekhar Hore is a Lead Engineer at StoneX Group in Threat Detection and Automation. He builds data-driven detection systems and security automation frameworks across cloud and hybrid environments, focusing on operationalizing  security intelligence into measurable runtime... Read More →
avatar for Anurag Mathur

Anurag Mathur

Staff Engineer - Application Security, StoneX group
Anurag Mathur is a Staff Engineer in Application Security, specializing in secure architecture design, vulnerability research, and threat modelling for modern application ecosystems. He works closely with engineering teams to identify business logic weaknesses, harden authentication and authorizatio... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link