Supply Chain Cybersecurity Forum

Beyond the Perimeter: Securing What You Don’t Control 

As software and hardware supply chains grow more complex and globally interconnected, they have also become prime targets for attackers. From deeply embedded vulnerabilities in third-party components to subtle software compromises and counterfeit hardware, today’s supply chain threats are stealthy, sophisticated, and increasingly difficult to detect. 

Join us for a focused 3-hour forum where experts and practitioners tackle one of cybersecurity’s most pressing challenges: how to secure the digital supply chain from code to component

This forum brings together offensive and defensive insights from the field — grounded in hands-on experience — to equip you with practical strategies, tools, and frameworks to: 

  • Identify and mitigate hidden risks introduced by third-party software and hardware 
  • Conduct technical product security testing and risk analysis at scale 
  • Perform static firmware analysis and deconstruct proprietary protocols 
  • Evaluate vendors and technologies using SBOMs and modern risk methodologies 
  • Build a mature, resilient supply chain risk management program 
  • Engage with key stakeholders to align procurement, contracting, and security goals 

Whether you’re in the trenches dissecting firmware or leading enterprise risk discussions with executives and suppliers, this forum is designed to help you enhance your supply chain security

Agenda

9:00 AM – 9:10 AM - Welcome & Opening Remarks Doug McKee & Tony Turner

9:10 AM – 9:45 AM - Know Your AI: Scanning the Hidden Layers of Open Source Models with w/ Kasimir Schulz

9:45 AM – 10:20 AM - Agentic GRC in Practice w/ Cole Kennedy

10:20 AM – 10:30 AM - Break

10:30 AM – 11:05 AM - Title TBD w/ Steve Springett

11:05 AM – 11:40 AM - Unseen and Unsecured: Firmware Attacks Expanding the Enterprise Attack Surface w/ Paul Asadoorian

11:40 AM – 12:00 PM - Closing Remarks

Join the forum discussion on Slack.

Who Should Attend:
Security engineers, product security professionals, PSIRT teams, risk managers, incident responders, SOC analysts, and cybersecurity leaders responsible for securing their organization’s technology stack and third-party ecosystems.

Supply Chain Cybersecurity Form

Know Your AI: Scanning the Hidden Layers of Open Source Models w/ Kasimir Schulz

 Open source AI models are reshaping modern development pipelines but they also introduce new challenges to the AI supply chain. As these models become embedded in critical systems, understanding their origins, components, and potential vulnerabilities is essential.

This talk will explore the hidden risks that can emerge within AI model supply chains, from licensing conflicts, embedded unsafe code, and model tampering and backdoors. Through real-world examples, we'll reveal how organizations can unintentionally expose themselves to risk when integrating open source models without sufficient visibility. We'll also introduce AI Bills of Materials (AIBOMs) as a key tool for surfacing and managing these risks. Attendees will leave with a clearer picture of what it means to truly "know your AI" and why transparency is vital for building secure, trustworthy systems.

Bio: https://www.sans.org/profiles/kasimir-schulz/

Kasimir Schulz, Director of Security Research at HiddenLayer, is a leading expert in uncovering zero-day exploits and supply chain vulnerabilities in AI. His work has been featured in BleepingComputer, Dark Reading, and Forbes, and he has spoken at conferences such as FS-ISAC and Black Hat. Kasimir leads the development of advanced tools for automating vulnerability detection and implementing large-scale patches, fortifying systems against supply chain attacks. His dedication to proactive defense measures sets a new standard in cybersecurity resilience.

Unseen and Unsecured: Firmware Attacks Expanding the Enterprise Attack Surface w/ Paul Asadoorian
Firmware, the foundational code running beneath operating systems and applications, is a pervasive but often overlooked attack surface in modern enterprises. This presentation uncovers the silent yet significant threats posed by firmware vulnerabilities across a wide range of devices, including network appliances, medical equipment, and critical infrastructure. Through real-world case studies-such as persistent backdoors in patient monitors, authentication bypasses in server management controllers, and insecure firmware update mechanisms in consumer and industrial devices-it demonstrates how attackers exploit firmware to achieve stealth, persistence, and broad impact. The session also explores recent high-profile vulnerabilities affecting firewalls, routers, and microcontrollers, highlighting the challenges of detection and remediation. Practical guidance is provided on firmware validation, forensics, and supply chain risk management, empowering organizations to better secure this hidden layer and reduce their overall attack surface

Bio: https://www.sans.org/profiles/paul-asadoorian/

Paul Asadoorian is currently a Principal Security Researcher for Eclypsium, focused on firmware and supply chain security. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. In 2005, Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. Paul grew Security Weekly into a network of security podcasts spanning multiple topics, such as application security and business. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, and hosts Eclypsium’s Below The Surface podcast. He enjoys coding in Python, hacking around on ESP32, and telling everyone he uses Linux as his daily driver desktop OS.  Agentic GRC in Practice w/ Cole Kennedy(Details coming soon)