Loading…
Subject: Application Security / DevSecOps clear filter
Saturday, September 12
 

10:30am CDT

Behaviour-Driven Detection for Software Supply Chain Exploitation
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Abstract
Modern software development depends on an intricate ecosystem of open‑source libraries, third‑party services, CI/CD workflows, container registries, package repositories, and cloud‑native infrastructure. As organizations accelerate development velocity, their applications increasingly rely on components they neither wrote nor control. This creates a supply chain environment where the weakest external link becomes the attacker’s easiest entry point. While Application Security (AppSec) teams focus on code reviews, SAST/DAST, SCA results, and secure SDLC controls, many of the most dangerous threats originate outside their visibility. These include malicious dependency updates, compromised package maintainers, poisoned CI/CD pipelines, hijacked SDKs, and third‑party API breaches—risks that traditional AppSec tooling isn’t designed to detect.
At the same time, Cyber defence teams track adversary activity, ecosystem‑level manipulation, suspicious code commits, dark‑web chatter, targeted campaigns against popular libraries, and exploitation of software supply chain dependencies. They see indicators and emerging threats far earlier than any automated scanner—but this intelligence rarely makes its way into AppSec decision‑making. As a result, AppSec teams continue to approve dependencies with no CVEs, unaware that the maintainer was compromised; security testing pipelines approve builds even though TI has already flagged one of the upstream components; and organizations ship production code containing malicious logic that no scanner will ever detect because the code behaves "as designed"—just not by your design.
This talk presents a unified model for bridging these gaps—delivering a strategic approach through supply chain defence. Attendees will learn how real‑world supply chain attacks unfold, why they bypass traditional AppSec controls, and how integrating cyber defence changes the defender’s perspective. We break down practical detection methods for ecosystem‑level anomalies, maintainer compromise signals, malicious package patterns, CI/CD infiltration attempts, and signs of upstream component manipulation. Through real attack examples and defensive case studies, we show how organizations can fuse AppSec findings (SCA results, dependency mapping, SBOM data) with cyber defence to build an adaptive, intelligence‑driven supply chain protection strategy.
Key Takeaways
  • Why AppSec alone cannot detect supply chain compromise — and the specific blind spots hidden inside package ecosystems, CI/CD pipelines, and third‑party integrations.
  • A practical integration model where AppSec and Cyber defence team jointly monitor, validate, and block risky dependencies or services before they reach production.
  • Field-tested workflows for real-time supply chain monitoring using SBOM enrichment, threat feeds, dependency risk correlation, and behaviour-based anomaly detection.
  • A blueprint for building an enterprise supply chain defence program that continuously adapts to attacker evolution, ecosystem shifts, and vendor risks.
Why This Talk Is Important
Supply chain attacks are now a preferred strategy for both state-sponsored and financially motivated threat actors. They exploit trust relationships between developers, automation systems, and ecosystem maintainers—areas where AppSec with cyber defence team lacks visibility with limited operational influence. This session provides a practical, actionable roadmap for bringing both teams together to defend the modern software supply chain—before adversaries weaponize it.
Speakers
avatar for Niladri Sekhar Hore

Niladri Sekhar Hore

Lead Engineer - Threat Detection and Automation, StoneX Group
Niladri Sekhar Hore is a Lead Engineer at StoneX Group in Threat Detection and Automation. He builds data-driven detection systems and security automation frameworks across cloud and hybrid environments, focusing on operationalizing  security intelligence into measurable runtime... Read More →
avatar for Anurag Mathur

Anurag Mathur

Staff Engineer - Application Security, StoneX group
Anurag Mathur is a Staff Engineer in Application Security, specializing in secure architecture design, vulnerability research, and threat modelling for modern application ecosystems. He works closely with engineering teams to identify business logic weaknesses, harden authentication and authorizatio... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Defending the Hypervisor: Using Offensive Tooling to Validate vSphere Security
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
VMWare (Broadcom) represents the most commonly used enterprise Hypervisors.  This means a compromised vCenter or ESXi host gives attackers access to every virtual machine and credential in your my environment. Defenders often lack visibility into what a post-exploitation attack against the hypervisor layer looks like. So, I built a tool to find out.
  In this session, I'll walk through the real-world attack chains that threat actors use against VMware vSphere environments: extracting Kerberos keytabs and credential caches from ESXi  hosts, decrypting stored VPX database passwords to pivot across every managed host, dumping JVM heap memory from vCenter to harvest SAML tokens, and forging certificates using stolen VMCA private keys. These are the techniques behind campaigns and APT operations targeting virtualization infrastructure today.
The core of this talk is a live demo of VEXED (vSphere EXploitation Extraction and Detection), an open-source tool I developed to automate these attack chains against vCenter and ESXi. Starting from a single SSH session, I'll show how VEXED chains credential extraction through VPX password decryption to automatically pivot across an entire vSphere cluster — mirroring the lateral movement patterns we as defenders need to detect and prevent.
But I didn't build this as a red team tool. I built it to answer a blue team question: what should I be looking for? For each attack chain I demonstrate, I'll map the corresponding detection opportunities: what logs are generated, what telemetry to forward to your SIEM, and what hardening controls actually break the chain. I'll cover VEXED's built-in hardening audit module, which checks over 20 security configurations across ESXi and vCenter, giving you a repeatable way to validate vSphere security posture. I'll also walk through the interactive attack graph output that visualizes the relationships between compromised credentials, certificates, and pivot paths… something I've found quite useful when communicating to leadership.
 Attendees will leave with:
  - A clear understanding of the most critical vSphere post-exploitation attack chains and how to detect them
  - Practical SIEM detection logic for credential extraction, memory dumping, and lateral movement across vSphere infrastructure
  - A hardening checklist validated against real attack tooling, not just vendor best practices
  - An open-source tool you can run in your own lab to validate defenses before an attacker does
 
  This session is for SOC analysts, infrastructure security teams, and anyone responsible for defending virtualized environments. No prior vSphere security experience is required. Just a desire to understand what happens when the hypervisor layer is compromised and how to stop it.
Speakers
avatar for Darryl Baker, DFIRDeferred

Darryl Baker, DFIRDeferred

Senior Staff Security Researcher, Netwrix
Darryl Baker is a Senior Staff Security Researcher at Netwrix, where he focuses on identity security and emerging attack techniques targeting enterprise authentication systems. With a background spanning security research, consulting, and adversary simulation, he specializes in uncovering... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Fortress in a Box: Enterprise-Grade Kubernetes Security for the Organizations That Can't Afford It
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
In 2022, the Red Cross was breached and data from 515,000 vulnerable people was exposed. Amnesty International was surveilled by state-sponsored attackers. Bellingcat, the group that documents war crimes, is a constant target of state actors trying to destroy evidence.
These organizations protect the most vulnerable, and have zero security budget to defend themselves.
This talk presents Fortress in a Box, an open-source, one-command Kubernetes security platform built specifically for NGOs, journalists, and human rights organizations. It implements four layers of defense-in-depth: CI/CD scanning with Trivy, admission control with Kyverno, real-time runtime threat detection with Falco, and GitOps self-healing with ArgoCD — fully configured, zero Kubernetes expertise required.
Attendees will see a live demo where Kyverno blocks an insecure deployment and Falco catches unauthorized container access in seconds, routing alerts directly to Discord — no SIEM required.
Takeaways: a clear understanding of how defense-in-depth works in Kubernetes, the specific policies that block the most common attack vectors, and how to deploy Fortress in their own infrastructure that same day.
Speakers
avatar for José Lorenzana

José Lorenzana

DevSecOps Student & Open Source Developer
A computer science student and DevSecOps practitioner focused on making enterprise-grade security infrastructure accessible to organizations that need it most. With hands-on experience in Kubernetes, containers, and cloud security, their work sits at the intersection of technical... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Secrets That Survive Everything: The Shift-Right Runtime Gap Left Unguarded
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
A bug bounty researcher found Azure credentials in a JavaScript file and 
marked the report informational. The credentials were live production values -
four Azure AD fields sitting in a public JS bundle, enough to authenticate as 
the application itself. The frontend had documented its own backend. Full 
account takeover. The application's token had been granted the ability to 
perform user-level operations, every account in the system was reachable. 
The organization had GitLeaks in CI/CD and static secret scanning on pull 
requests. The credentials were still live.


That was one chain. A second application used CryptoJS to encrypt its 
configuration, a common pattern in SPAs where developers believe encrypting 
the config protects it. The decryption key was hardcoded in the same 
JavaScript file, three lines away from the encrypted blob. The secret to 
unlock everything was sitting next to the lock. Same credential pattern at 
the end. Same result.


Shift-left tools scan what you commit. They do not scan what you serve. 
Build-time environment injection bakes live keys into webpack bundles that 
never touch the repository. CI/CD pipeline variable substitution materializes 
secrets only in the build artifact, after every scanner has run. SSR state 
blobs injected by Next.js and Nuxt carry credentials into HTML that no 
pre-deployment scanner ever sees. Once a secret reaches production, it 
disappears from every scanner's view. Sometimes that disappearance is 
engineered, developers suppress scanner alerts on credentials the application 
genuinely requires, trading automated monitoring for a green pipeline. The 
only things finding runtime secrets are manual penetration testers, bug bounty 
researchers, and attackers. Two of those three report what they find.


This talk walks through both exploitation chains in detail, maps the full 
shift-right gap in the security tooling landscape, and closes with a live 
demo using a purpose-built intentionally vulnerable healthcare portal, a 
HIPAA-branded application exposing Twilio, SendGrid, Stripe, and Firebase 
credentials in its public JavaScript files, and leaking internal service keys 
in response headers on every single request.


The demo uses SecretSifter, a free Burp extension, browser tool, and desktop 
app built for the runtime layer to find every secret passively, without 
configuration, as traffic flows.


Security teams leave with a clear picture of where their shift-left controls 
stop, a taxonomy of the six exposure mechanisms that bypass them, and a free 
tool they can deploy against their own applications the same day.


Speakers
avatar for Hemanth Gorijala

Hemanth Gorijala

Global Penetration Testing Lead
Hemanth Gorijala is an application security professional and penetration tester with 13 years of experience. He conducts web application security assessments and reviews vulnerability reports in enterprise bug bounty programs. The exploitation chains in this talk are drawn from his... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Too Big to Review: Scaling AppSec to Zero at Fortune #1
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
As AI-powered development tools accelerate code velocity across the industry, application security programs face an existential scaling problem: the team that was once a trusted partner to engineering has become a bottleneck. Traditional human-led security review cannot keep pace with the rate of new features, services, and infrastructure being shipped; and bolting AI onto a broken process only makes it fail faster.


This talk presents a proven layered framework for scaling application security programs without proportionally scaling the security team, drawn from direct experience building and running the SHINE (Security Hub of Innovation and Efficiency) program at AWS. The framework moves through three progressive layers: Golden Paths that eliminate entire risk categories before review through secure-by-default infrastructure; Deterministic Automation that encodes repeated security decisions into binary, scalable rules; and Agentic Investigation where AI systems assemble complete application context and make judgment calls on genuinely novel problems.


In practice, this architecture reduced security review time by 30% through deterministic automation, drove 90%+ adoption rates of new applications onto secure-by-default infrastructure via CDK property injection, and enabled an Agentic Security Engineer capable of context-aware decisions that previously required senior human involvement.


In today's AI-driven world, the instinct is to reach for a model. But that instinct is wrong when applied too early: AI is not a fix for a broken foundation - it amplifies whatever is already there. Teams missing stability at the foundational layers will find that AI makes the chaos faster, not better. This talk provides a concrete, implementation-grounded roadmap for building the foundation that makes automation and eventually agentic AI actually work.
Speakers
avatar for Adam Schaal

Adam Schaal

Distinguished Engineer, AI Security, Pixee AI
Adam Schaal is a Distinguished Engineer at Pixee, where he focuses on using generative AI and automation to meaningfully change how application security is practiced at scale.
Previously, Adam created and led the SHINE team at AWS, a group tasked with rethinking how security could scale across massive development organizations without slowing builders down. Through experimentation, automation, and hands-on engineering, SHINE explored new approaches to aligning... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Vibe Check: Scaling AppSec in an AI-Driven World
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Scaling an AppSec program is hard enough in a traditional environment, but it gets exponentially more difficult when Sonny from Accounting decides to vibe code their own full-stack internal tool over the weekend and announces it in the company All Hands on Monday. The "Shift Left" movement promised to get in front of security breaches by thinking about security early in the development lifecycle, but AI has thrown that idea out the window. How do we shift left when teams are deploying demos in the time that it used to take to agree on basic design principles? Teams are shipping code faster than it can be reviewed and in an era when anyone who can write a mostly coherent thought can pump out an application, vibe coders are spinning up unreviewed shadow apps overnight.


The modern AppSec program has to adapt and scale without becoming a bottleneck. We have to focus on:

Automated Guardrails: Leveraging AI to secure the code that AI creates

Democratized Security: Extending AppSec to the vibe coding masses through self-service tooling.

Maintaining Quality at Speed: Using risk-based prioritization when the codebase is growing exponentially.

AppSec programs need to stop policing every line of code and start building resilient ecosystems where everyone, not just traditional software engineers, can build safely regardless of how they write their code.
Speakers
avatar for Cory Roop

Cory Roop

Director of Production Security, Invisible Technologies
Cory leads the Production Security function at Invisible Technologies. He’s a veteran engineer and leader who has scaled security programs for both healthcare firms and hyper-growth SaaS startups. He balances a "big picture" leadership style with a genuine love for the technical... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

When the Package Is the Weapon: Detecting and Responding to npm Supply Chain Intrusions
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Your developers trust npm. Attackers figured that out before your detection stack did.
This talk is a ground-up forensic reconstruction of two real npm supply chain campaigns — the NX package compromise in late 2025 and the axios RAT campaign in March 2026 — told entirely from the defender's perspective. Not a theoretical exercise. This is what the logs actually looked like, what the tooling missed, and what finally surfaced the activity.
We walk through how a malicious git hook silently drops a RAT onto a developer endpoint the moment they run a routine yarn dlx command, why this technique is specifically engineered to stay quiet in standard endpoint telemetry, and what the attacker does next. The target isn't your servers. It's the MetaMask wallet sitting in your developer's browser profile and the seed phrases cached in their dotfiles. Cloud credentials are secondary — harvested and staged for resale while the crypto moves on-chain.
The second half of the talk is pure blue team. We'll share the Humio/LogScale query patterns that actually worked, the CrowdStrike telemetry fields that matter for this attack class, the detection gaps these campaigns deliberately exploit, and a hardening checklist your security team can hand directly to engineering.
Real IOCs and detection artifacts from live incident forensics will be released during the session.
You will leave with something you can use the same week.
Speakers
avatar for Mohit Bansal

Mohit Bansal

Senior Engineering Manager, Security Engineering, Webflow
Mohit Bansal leads a security engineering team spanning SecOps, Vulnerability Management, Enterprise Security, Incident Response and security tooling. He brings 10+ years of security experience across application security engineering and leadership roles at multiple high-scale technology... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Your User, Their Rules: Rethinking the OS trust model for the AI-era
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Operating systems solved multi-user security decades ago: files have owners, permissions enforce boundaries, and one user's processes cannot tamper with another's data. But modern developer workstations are effectively single-user machines — and every process running as that user inherits the same trust. For years, this was a footnote. Today, it is the attack surface.


The explosion of AI-powered developer tools — IDE agents, MCP servers, lifecycle hooks, autonomous coding assistants — has turned local configuration files into high-leverage control planes. These tools store security-critical state (working directories, cluster credentials, session metadata, agent memory) in files and act on them without integrity validation due to assumed trust. The OS says "same user, same trust." The AI tool says "if it's in my config, I'll execute it." The result: any process running in the user's context — a compromised npm package, a malicious browser extension, a rogue VS Code plugin — can cause havoc: silently hijack an AI agent's behavior, redirect kubectl to an attacker-controlled server, or trigger recursive deletion of arbitrary directories to name a few.


In this talk, we present a systematic analysis of this trust gap through three original vulnerability disclosures across Docker Desktop, Lens Desktop, and Claude Desktop. In each case, the attack requires no privilege escalation, no kernel exploits, and no user credentials — only the ability to write to a JSON file that the OS considers perfectly authorized. We use these as case studies to examine a broader architectural problem: the classic OS segregation model was built for a world where "same user" meant "same human." In the age of AI agents, MCP servers, and autonomous tools, "same user" now means "same human plus every autonomous process acting on their behalf" — and processes don't necessarily verify whether the others are trustworthy.


We will dissect why this pattern keeps recurring (electron-store defaults, the absence of application-level integrity checks, the gap between OS-level and application-level trust), propose a threat model for "intra-user trust boundaries," and provide concrete detection and hardening strategies for security teams who need to defend developer endpoints where the OS permission model is necessary but no longer sufficient.


Speakers
avatar for Golan Myers

Golan Myers

Security Researcher, Bloom Security
Golan is a security researcher at Bloom Security, with previous experience as a researcher within the Cortex Cloud Posture Security research group at Palo Alto Networks, focusing on AI, identity, and data security.
avatar for Ofir Balassiano

Ofir Balassiano

Co-Founder, Bloom Security
Ofir is an experienced security researcher turned co-founder at Bloom Security. Led the Cortex Cloud Posture Security research group at Palo Alto Networks, focusing on AI, identity, and data security. Previously led the research group at Dig Security (acquired by PANW), served as... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk
 
Blue Team Con 2026
From $0.00

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Thursday, September 10
Saturday, September 12
Microsoft Technology Center (Aon Center)
Swissôtel Chicago
  • Talk
  • Training
  • Company
  • Abstract
  • Acalvio
  • Amazon
  • Beazley Security
  • Black Hills Information Security
  • Bloom security
  • Broadcom
  • C Spire
  • Campbell Clinic
  • Coalfire
  • CQURE
  • Critical Path Security
  • Data Defenders
  • Dataminr
  • Daylight Security
  • DHS/CISA
  • EXOS
  • First National Bank of Omaha (FNBO)
  • Flare
  • Fortune 150 Food & Bev Manufacturer
  • GetReal Security
  • Horizon Secured
  • Invisible Technologies
  • LevelBlue
  • Liberty Mutual Insurance
  • Nationwide
  • Netwrix
  • Notion
  • Pixee AI
  • Push Security
  • Rapid7
  • Reflex Security
  • Reversec
  • Revology
  • SCYTHE
  • Semperis
  • Spacewalk.ai
  • SpecterOps
  • StoneX
  • TrustedSec
  • Webflow
  • WiCyS Wisconsin
  • Zelis Healthcare
  • Audience
  • Advanced
  • Beginner
  • Early Career
  • Intermediate
  • Subject
  • Application Security / DevSecOps
  • Career Matters
  • Governance / Risk / Compliance
  • Management / Leadership
  • Physical Security
  • Resilience
  • Security Operations / Tools
  • Threat Hunting and Red Teaming
  • Threat Intel and DFIR
  • Vulnerability Management