Panel: Security Against Modern Threats - InfoQ

The software supply chain has become increasingly vulnerable to sophisticated attacks, from typosquatting to AI-generated vulnerabilities. In this InfoQ panel discussion, security experts explore how organizations can move beyond basic scanning to build resilient systems by design.

The Escalating Threat Landscape

The panelists begin by acknowledging the dramatic escalation in software supply chain threats over recent years. These attacks have evolved from simple dependency confusion to more complex scenarios involving compromised build pipelines and AI-generated vulnerabilities. The consensus is clear: organizations must shift from reactive security to proactive resilience.

Zero Trust in the Software Supply Chain

Emma Yuan Fang, Senior Security Architect at EPAM, emphasizes that zero trust principles extend far beyond cloud infrastructure. A critical assumption many companies make is that dependencies from public repositories or marketplaces are inherently trustworthy. This assumption is dangerous.

"If you don't do enough checks, if you don't scan your dependencies for vulnerabilities, you will never be able to identify those vulnerabilities in those dependencies."

Yuan Fang explains that supply chain attacks can affect every stage of the CI/CD pipeline. Another common assumption is that internal CI/CD pipelines are trusted simply because they were developed in-house. Without proper auditing and configuration, these pipelines can become attack vectors themselves.

Moving Beyond Basic Scanning

While scanning for vulnerabilities is essential, the panelists agree it's insufficient on its own. Andra Lezza, Principal Application Security Specialist at Sage, advocates for real-time monitoring to detect active attacks.

Stefania Chaplin, Founder & CEO of DevStefOps, emphasizes the need for comprehensive feedback loops. Security teams must not only identify vulnerabilities but ensure they're fixed in production. This requires:

• Automated monitoring for anomalous behavior
• Alert systems that trigger human intervention when patterns deviate from expected behavior
• Training programs tailored to specific team needs (e.g., cross-site scripting for frontend teams, data injection for AI teams)

Practical Risk Assessment Strategies

Celine Pypaert, Vulnerability Manager at Johnson Matthey, recommends a multi-layered approach:

1. Traditional scanning (SAST, DAST, SCA)
2. White box testing - internal analysis of application internals
3. Black box testing - external perspective mimicking attacker behavior
4. Penetration testing - professional ethical hacking exercises
5. Red team exercises - comprehensive attack simulations

Pypaert stresses the importance of understanding the full attack surface, including infrastructure, containers, orchestration layers, and virtualized environments. She recommends using tools like attack path analysis to visualize potential compromise routes.

Shifting Left with Penetration Testing

Traditionally, penetration testing occurs in pre-production environments. However, Yuan Fang advocates for earlier testing:

"If you have the resources and the team, do a penetration testing as early as STE environment to detect early signs of vulnerability."

This shift-left approach is crucial because fixing vulnerabilities later in the development lifecycle becomes exponentially more expensive.

The Human Element in Security

Despite technical solutions, the panelists highlight that human factors remain significant vulnerabilities. Phishing continues to be a major attack vector, even for large organizations. Chaplin notes that attackers exploit human psychology through tactics like repeated push notifications or social engineering.

"Security breaches don't sleep. The final one is just around the training."

Secure by Design Principles

Integrating security into engineering workflows requires architectural thinking. The panelists recommend:

• Threat modeling before implementation
• Asset identification and understanding what needs protection
• Attack path analysis to identify vulnerabilities
• Zero trust verification at every stage
• Comprehensive training to address knowledge gaps

Chaplin emphasizes that secure design happens before coding begins. It's about making architectural decisions with security in mind, not bolting it on afterward.

Enabling Developer Velocity Through Security

Security doesn't have to be a blocker. When implemented correctly, it can actually accelerate delivery:

• Peace of mind through comprehensive testing allows developers to focus on features
• Compliance requirements enable business operations
• Automated guardrails prevent costly security incidents
• Early vulnerability detection reduces rework

Pypaert compares security to a seatbelt—it enables safe speed rather than preventing movement.

Governance and Organizational Alignment

Effective security requires governance structures. Yuan Fang recommends centralized oversight through centers of excellence or similar bodies. This includes:

• Access control to development tools
• Standardized processes across merged or acquired organizations
• Clear ownership of security responsibilities
• Metrics and reporting for continuous improvement

AI and Emerging Threats

The panel discusses AI-specific vulnerabilities, including prompt injection attacks. A notable example involved a car manufacturer's chatbot that was manipulated into making legally binding offers due to inadequate security guardrails.

Actionable Takeaways

The panelists provide several practical recommendations:

1. Don't trust anything - verify all dependencies and internal processes
2. Implement comprehensive scanning across all layers (application, dependencies, containers, infrastructure)
3. Establish security governance with centralized oversight
4. Conduct regular penetration testing starting in early development stages
5. Create psychological safety for reporting security concerns
6. Provide ongoing training through lunch-and-learns and workshops
7. Use metrics to track progress and identify areas needing support
8. Gamify security to increase engagement and awareness

The Path Forward

The discussion concludes with a call for organizational cultural change. Security must become everyone's responsibility, embedded in the development mindset rather than treated as an afterthought. By combining technical controls, governance structures, and cultural initiatives, organizations can build resilient systems capable of withstanding modern threats.

"If everyone else got 1% better, that would have a massive compound interest on the organization."

The future of software security lies not in perfect technical solutions but in creating environments where security is intuitive, accessible, and integrated into every aspect of the development lifecycle.