Black Hat 2025: Navigating AI and supply chain security
Experts at the conference will discuss how AI impacts software supply chain security, highlighting challenges and strategies for developers and security teams.
- Melinda Marks,
-
Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
Black Hat USA 2025 sessions will highlight ways to detect and respond to software supply chain attacks, underscoring the challenges security teams face as attackers target weaknesses in the supply chain.
Security vendors will also gather at the annual security conference to discuss effective strategies to secure the software supply chain, especially as developers increasingly use AI.
While cloud-native development has fostered a thriving community for collaboration, efficiency and rapid deployment of software applications, security teams are often challenged in managing security for the ever-growing complexity of the software supply chain.
As developers build applications, they often utilize open source and third-party software code to save time instead of having to build all their code from scratch. Also, with GitOps processes and continuous integration/continuous delivery (CI/CD) pipelines, developers can collaborate with team members to check out and check in code components to continuously update their applications. This has made it difficult for security teams to ensure the code is secure, include the source of code, maintain the inventory of the code, and monitor and secure the code when it is changed or tampered with.
Hackers like to exploit vulnerabilities in widely used software because it can earn them entry to the largest number of targets. They also like to target areas that may be overlooked, making them the most vulnerable to attack. When exploits occur, security teams are often challenged to find and remediate vulnerable code to protect their applications or to quickly react to minimize the impact of an incident.
Now, advancements in AI bring a new scale of complexity. As organizations face constant pressure to increase productivity, AI promises to fuel new opportunities for innovation and growth. By utilizing generative AI (GenAI) and chatbot tools to create code, developers can even more quickly produce code needed to build and release applications.
My research on modern software application security for Enterprise Strategy Group, now part of Omdia, found that 64% of organizations currently use GenAI or chatbot tools for code development, with 21% planning to use it, 12% interested in using it and 3% having no plans to use it.
Security teams are bracing themselves to prepare as they are tasked with supporting secure development and ensuring protection of their software once it is deployed and running.
My recent study on the state of DevSecOps and cloud security platforms asked respondents about the top cloud-native elements susceptible to compromise, and the top two were AI technology and software supply chain security. In fact, ensuring secure usage of GenAI was the top challenge for security tools supporting development. Development is poised to drastically speed up as AI continues to evolve with agentic AI and trends such as vibe coding.
So, how can security teams keep up? It is important to have the right security tools in place to ensure they can scale to keep up with development, especially as complexity increases with developer usage of AI. Here are key considerations as numerous vendors offer software supply chain products.
Optimizing security to support the full software development lifecycle
Cloud-native development has changed the software development lifecycle to quickly build and release software and then frequently update it in real time. This optimizes efficiency and, ideally, speeds innovation for real-time product improvements in a cyclical fashion.
This has been disruptive for application security teams used to inserting security tools and processes at certain points in the linear, left-to-right, Waterfall development processes, which also mostly used custom code. There were two places to incorporate security. The first was testing before the release of the software to customers in order to catch and remediate issues. Once the product was out, the methods focused on detecting and responding to security issues, attacks or incidents.
This has resulted in the usage of numerous tools and products, often used by different teams, in inconsistent and inefficient ways at different points in the Ssoftware development lifecycle (SDLC) to address software supply chain security. These include static application security testing, vulnerability scanning, dynamic application security testing, API scanning, container image scanning, software composition analysis, penetration testing, license scanning, configuration checks, software bill of materials (SBOM) generation tools, secrets scanning, dependency analysis and infrastructure-as-code scanning tools.
This does not work with today's more cyclical lifecycles with GitOps processes and CI/CD pipelines. Security teams need to collaborate closely with development teams to incorporate tools and processes within developer workflows, starting as early as possible in the build process.
The research showed that there is much room for improvement in this area, as 53% said they always incorporate security early in development and 47% said they sometimes incorporate security early in development.
Especially as developers increasingly use AI to build and update their software, the lines will blur between custom and third-party code, and security teams will need to support developers throughout the SDLC.
Taking a developer-focused approach to security
It is important that security supports developers as they use cutting-edge processes and tools to efficiently build innovative, feature-rich applications. The research also showed that the biggest challenge to supporting development was ensuring secure use of GenAI.
For software supply chain security, IT security teams need to collaborate with developers to understand what tools and processes they are using, including how they -- and their AI tools -- are sourcing and updating their code to ensure they can incorporate the right security tools and processes within the developers' workflows.
Security teams need to help developers source secure code, understand the full code components with SBOMs, and ensure that they can test and secure all of their software code and update the SBOMs with any release or update. This should seamlessly span into runtime to support the flexibility of developers to push updates. This requires processes to monitor for changes, detect security issues, and enable them to react quickly if and when vulnerabilities are detected or if incidents occur to optimize remediation and mitigate the impact if there is an incident.
The research showed that security teams must address challenges to best support development, including ensuring security processes do not slow development down, they do not overburden developers with alerts that may be false positives, and security teams can consistently apply processes, tools, and policies across development teams.
Applying AI to enable security to scale with AI use
Security teams have faced challenges keeping up with the greater speed and volume of software releases with cloud-native development. The key to keeping up has been to use tools and processes to enable security teams to move from manual, tedious processes to using tools for automation to optimize efficiency across teams.
This is the perfect application of AI, and this is the only way that security will be able to scale to keep up. This is an exciting time to see vendors incorporating AI, including GenAI and agentic AI, for various use cases, including automating and orchestrating security processes, analyzing data to assess and prioritize risk, monitoring and detecting security issues, and even autoremediating security issues.
It is also important for security vendors to fully harness AI innovation to stay ahead of attackers and keep the advantage on the defender side.
At Black Hat
If you're in Las Vegas this week for Black Hat, join me on Monday, Aug. 4, as I'll be presenting at the Lineaje Software Supply Chain Security Summit.
Two software supply chain security sessions to check out include "When 'Changed Files' Changed Everything: Uncovering and Responding to the tj-actions Supply Chain Breach" and "Your Traffic Doesn't Lie: Unmasking Supply Chain Attacks via Application Behavior."
Key vendors focused on software supply chain security attending Black Hat include Apiiro, ArmorCode, Black Duck, Checkmarx, Contrast Security, Cycode, Data Theorem, Invicti, Legit Security, Lineaje, Manifest, Orca, Palo Alto Networks, Red Hat, ReversingLabs, Snyk, Sonatype, Veracode, Wiz and Zscaler.
I have more research coming this year on developer-focused security and software supply chain security. I would love to hear from you if you are working on your software supply chain security strategy or if you are a vendor in this space.
Melinda Marks is a practice director at Enterprise Strategy Group, now part of Omdia, where she covers cloud and application security.
Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.
