GitHub | KnowBe4 | Mend.io | ThreatLocker | Upwind
Q1. Given the rise in software supply chain attacks, what measures is GitHub taking to protect developers and organizations against threats like dependency poisoning, malicious packages and tampering?
We’ve seen events like SolarWinds and Log4j bring supply chain security into the mainstream, providing key reminders of the importance of securing critical code. After all, in today’s interconnected development environment, a single vulnerability anywhere can quickly become a vulnerability everywhere due to downstream effects.
At GitHub, security is embedded into everything we do, from ensuring the health and security of our platform and business, to our broader community. We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our Acceptable Use Policies on malware and exploits. We employ manual reviews and at-scale detections that use machine learning and constantly evolve to mitigate malicious usage of the platform, and of course also encourage customers and community members to report abuse and spam.
Additionally, we offer our customers free dependency management tools like Dependabot, and recently released a private preview of Copilot Autofix for Dependabot to help developers fix supply chain vulnerabilities with the help of AI. Features like Artifact Attestations also create a verifiable and manipulation-proof paper trail, giving developers greater trust in knowing where their software components come from and ultimately reducing their project’s potential exposure to supply chain attacks.
Q2. What unique security challenges and opportunities do you see tied to the growing use of GitHub Copilot and AI/ML in general in software development?
AI is already driving significant productivity benefits for software development, with developers writing code more than 55% faster with GitHub Copilot. And while developers are shipping software faster than previously imaginable, software vulnerabilities are also inadvertently making their way into production. Adding on, this new volume of code is only building on the bedrock of historical code, where latent vulnerabilities may already exist within our production systems.
Eliminating this security debt and ensuring that all newly written code is secure is not feasible as a function of humans alone, especially given the ongoing shortage of cybersecurity talent worldwide. AI will be the catalyst, helping us to help eliminate software vulnerabilities at scale.
For example, Copilot Autofix is already fixing code vulnerabilities more than 3x faster than when done manually. We all know vulnerabilities can live forever, and the longer they’ve remained dormant, the harder and more expensive they are to fix. With AI-powered tools like Copilot Autofix, developers can burn through years of software vulnerabilities in minutes, moving us closer to a reality where a vulnerability found means a vulnerability fixed.
Q3. What does GitHub have planned for Black Hat Europe 2024? What is your company's main focus at the event?
We’re looking forward to showcasing the power of GitHub’s Copilot-powered platform, including innovations with Copilot Autofix to give developers more agency over the tools they use and help teams prioritize and orchestrate vulnerability remediation at an unprecedented scale. We’ll continue to bring more AI-native experiences across the platform that improve developer happiness and productivity, while ensuring security is baked in at every step.
Q1. Looking to 2025, what are the emerging trends in phishing and social engineering that CISOs should prepare for? What should they understand about the threat from deepfake technology and AI-generated content?
AI-powered attacks will continue to not only rise during 2025, but we will likely see larger adoption of different avenues beyond phishing emails. We have already started to see voice and video being used more effectively and we’ll also likely see greater automation and targeting of individuals through phone calls, text messages, or social media.
A lot of this will lend itself to multi-channel phishing campaigns with coordinated attacks across email, social media, phone calls etc. AI will offer the ability to criminals to maintain consistent narratives across the multiple platforms, to add credibility to the attack.
Perhaps the most dangerous aspect of AI-powered attacks in this regard will be emotional manipulation and hyper-personalization of spear-phishing attacks. AI can analyze social media and online behavior in order to craft highly emotional appeals. These could cause phishing attempts to coincide with significant life events or crises.
In terms of emerging technologies, we may also see an increase in attempts to target IoT devices and smart home systems or social engineering attacks beginning to surface in augmented and virtual reality environments. We may also see AI assistants themselves be compromised and be used to deceive users or extract sensitive information.
Q2. What tactics and strategies should companies be deploying to protect employees and executives from these scams?
To protect against these attacks, CISO’s need a multi-layered approach. AI-powered security offerings can help detect deepfakes and other AI-generated threats and prevent such threats from reaching the user.
Authentication also needs to be enhanced, with multi-factor authentication being enforced across all systems. A zero trust security model can also reduce the impact of a phishing attack.
But perhaps the most important aspect is to enhance employee security awareness and training. This involves a few aspects. Regular training needs to be provided in order to keep people up to date with the latest threats and methods the criminals are using. Where possible, content should be made relevant, timely, and adaptive to the users needs. This can be achieved by having a variety of content in different formats, styles, and duration, that can be delivered as nudges when it is most needed.
Overarching this is the principle that people should think less about the way in which they are being attacked, but look out for the red flags of whether it’s an expected communication, or if authority is being built up, does it include an unusual ask, such as sharing of passwords or downloading files, does it invoke an emotional response, and is there a time pressure to fulfil it?
If these things are kept in mind, then it doesn’t matter whether the attack is generated by AI or if it comes through a different medium, people will be better equipped to recognize and report it.
Q3. How does KnowBe4 plan to engage with customers and other organizations at Black Hat Europe 2024? What do you want attendees to take away from your company's presence at the event?
We always look to have meaningful and impactful conversations and interactions with customers and other organizations at events like Blackhat. We recognize that all customers, non-customers, and other vendors are all on the same side. We all want to make our organizations more resilient and reduce the risk of cyber-attacks.
Events are a place where we can all learn from each other, and we want people to understand how we view the challenges and how we can help their people make better risk decisions every day.
Q1. How has the proliferation of modern development practices like microservices, serverless, cloud native, infrastructure-as-code and API-first architectures impacted requirements for application security?
Modern development practices have greatly complicated application security. Most application security teams come from the network side of security. By adding these additional complex design principles, teams will struggle to address them. In today's world, developers are required to be part of the application security team, or the program will struggle.
For example, with APIs, the attack surface is increased. APIs are essential for any application being developed. They support websites, mobile applications, B2B and more. Security tools only cover certain aspects of API security, but what about the other parts that are not covered? Developers have the knowledge on how to properly threat model APIs from a security standpoint.
Concepts of cloud native, dynamic environments, and serverless are foreign to even some of today’s developer teams. The skills required to work in the cloud are highly specialized and require additional training. Correctly understanding zero trust concepts, identity management, granular security policies, compliance, and security automation is beyond your typical resource. The new world we are living in requires a village to support the application security program. Not to mention microservices.
Microservices, infrastructure as code, and the current design architecture can be amazing when properly implemented. However, the architecture and knowledge to support them from a security standpoint can be challenging to find.
What all of this means is that developers must stay current with today’s technologies and trends, and so does your application security team. Application security has moved beyond the concepts of simple scanning into the world of complex architecture.
Q2. What are some of the biggest barriers to developing effective application security programs? How are forward leaning organizations addressing these challenges?
Application security faces many barriers to success. The fundamental problem is that developers do not understand how to write secure code. Spending on scanning tools is pointless if developers don’t know how to write secure code; they'll keep adding to security tech debt with every release.
Building an effective AppSec program means training developers how to write secure code and working up from there. Security tools receive a bad wrap when it comes to working with security and developers. Security teams that do not have developers on them typically will give unfiltered security findings directly to the developers. This does nothing more than create additional backlog items to be worked without proper prioritization.
Another barrier plaguing security programs is how vulnerabilities are treated. Security findings are bugs and poor programming practices. QA should be part of the security process, but typically left out. For example, a security finding related to SQL injection is nothing more than development taking a shortcut by concatenating a string instead of properly parameterizing SQL.
When QA is part of the security process, they will know which vulnerabilities were identified, which should be addressed, and which can be ignored—similar to how they identify issues during their testing. If QA understands they had 10 critical findings, 1 addressed, and 1 created, they should fail the release. Fixing the 1 critical finding doesn't mean they can create another. Each finding addressed is 1 less vulnerability in their system.
Silos and communication issues are rampant between security and developers preventing both teams from being able to communicate back and forth effectively. Some teams will not allow developers to communicate with anyone outside of their team. Even though security should be allowed to communicate, they can’t. Siloes need to be addressed, and walls need to come down.
Q3. What key innovations or capabilities does Mend plan to highlight at Black Hat Europe 2024?
Mend.io will highlight our AI capabilities and unified platform (holistic view). Mend.io is leading the way in identifying malicious and compromised AI models. The ability to understand which AI models are integrated into your software applications is critical to understanding your threat model. Two additional vital aspects of our AI offering are both licensing and AI-BOM. Understanding what licenses your AI models are using prevents unintentional license violations and helps raise awareness of risks to the development teams. Finally, AI-BOM provides visibility into the AI components and dependencies used in your applications. This transparency will ensure that teams make informed decisions about their use of AI.
The unified platform provides a holistic view of an organization's security posture. To better prioritize security findings, knowing that a given security finding has additional exploitability will ensure that it’s better prioritized by both security and development teams. An additional benefit to the unified platform is the ability to have a comprehensive dependency inventory. This is key to addressing zero-day findings quickly and efficiently. The policy engine has seen a considerable improvement and brings a lot of new functionality to the platform. The downstream effects can be felt in the CI/CD pipeline, such as failing builds or notifications.
The unified platform has greatly improved the user experience. The goal of this improvement is to provide an enhanced user experience where both security and developers can interact with the data easily. Mend.io still focuses on keeping results where developers work most often, the SCM environment. But this improvement enables them to work easily in the unified platform as well.
Q1. How do you see zero-trust concepts evolving to address emerging risks over the next three to five years? What role will automation and AI play in advancing zero-trust adoption?
Zero trust is the only way that we are going to be able to stop these cyber-attacks. For far too long businesses and IT departments have been sold a dream of a magic pill to detect and solve all security issues. Zero trust is the solution, by only limiting what is needed in a business, the guess work is removed from security.
Automation and the use of AI and Machine learning to enhance the automatic nature of learning, making zero trust little effort. Before companies would spend years trying to implement least privilege but with automatic learning, and machine learning the deployment is little effort.
Q2. What new trends around endpoint security can organizations expect in 2025? What is it going to take to defend against them?
I suspect we are going to see a lot of noise with AI, promises magic results of threat detection. Unfortunately, most of this marketing dreams and not realities. We are already starting to see the promise of AI being able to detect bad behaviors, with no explanation how AI knows the intent of software running. We are also going to see a continued uptick of the use of zero trust technologies to block threats.
Q3. What do you expect customers, and other organizations, will want to hear from ThreatLocker at Black Hat Europe 2024? What is the company's main focus at the event?
The focus of the event is to educate why the zero trust approach is so important, and how to solve cyber issues. ThreatLocker has attended over 800 events this year, all with one purpose, and that is to educate the market.
Q1. You recently wrote about the CrowdStrike incident highlighting the need for operational excellence in cybersecurity. What exactly does operational excellence entail? What does it take, at a high level, to get there?
Operational excellence in cybersecurity is about building a framework that’s resilient, adaptable, and committed to continuous improvement. This approach proactively prevents incidents while ensuring an organization can efficiently respond when challenges arise. In my article on the CrowdStrike incident, and a longer-form blog post, I highlighted that operational excellence starts with a culture of accountability, deep analysis, and adaptability – a mindset that embraces learning from every incident. Leaders must support this foundation by fostering transparency, providing ongoing training, and encouraging open communication across teams, creating an environment where teams feel empowered to act.
The “5 Whys” methodology is a powerful tool in this journey. By encouraging teams to dig into the root cause of incidents, it helps avoid superficial fixes and instead addresses process and human factors contributing to vulnerabilities. For instance, a surface-level technical error might actually reveal underlying gaps in cross-team coordination or inadequate testing protocols. This method ensures lessons from one incident strengthen the organization’s security posture as a whole, transforming isolated problems into actionable insights that improve systems over time.
Operational excellence also means tracking key operational metrics, which monitor both immediate threats and broader performance indicators, enabling teams to identify patterns before they become critical. Ultimately, it’s about creating a cybersecurity culture that drives teams to learn, adapt, and act swiftly. This proactive and resilient approach builds a sustainable defense strategy, crucial for maintaining trust and securing an organization’s assets in today’s ever-evolving threat landscape.
Q2. What is driving the need for technologies like Upwind's new capability for automatic discovery of API-sensitive data flows? What exactly does it do?
The rapid expansion of cloud-native applications and interconnected APIs has heightened the urgency for secure data flows. Sensitive information frequently moves between services and systems, increasing exposure risks that attackers can exploit. As organizations rely more on APIs, the need for tools like Upwind’s automatic discovery of API-sensitive data flows becomes crucial to the overall security of the organization. This capability provides a clear, real-time map, and queryable database of data interactions, enabling companies to secure personal, financial, and other confidential data as it moves through APIs.
By automatically identifying sensitive data flows and flagging vulnerabilities, Upwind replaces out-of-date catalog scanning, or manual audit processes that can be time-consuming and error-prone. As APIs are frequent attack vectors, this technology acts as a frontline defense, catching risks early and providing security teams with visibility into data flow patterns across complex cloud environments. This proactive approach enables compliance, protects against data breaches, and reduces the resource strain on security teams, who no longer need to rely solely on manual discovery or react to threats after they occur.
This solution also allows security teams to prioritize high-risk areas, ensuring they can focus on the most critical assets and interactions. As sensitive data flows become more complex, automated discovery tools like Upwind’s enable companies to mitigate risk, remain agile, and build a scalable security strategy.
Q3. As a relatively new company, how does Upwind plan to use its presence at Black Hat Europe 2024 to spread awareness of the company and its technology?
Black Hat Europe 2024 provides Upwind with an invaluable platform to engage with a global community of cybersecurity professionals, customers, and partners. At our booth (107) in the exhibition hall, we’ll be showcasing our latest innovations, including advancements in runtime security for containers & serverless functions, and the automatic discovery of API-sensitive data flows. These cutting-edge solutions address some of the most pressing challenges in cloud-native and hybrid cloud environments, offering attendees an in-depth look at how Upwind is redefining modern security practices.
Beyond the exhibit, we have an extensive lineup of meetings with current and prospective customers, as well as with industry partners. Our goal is to create a space for bidirectional knowledge sharing, where we can listen to the unique challenges security teams face and provide insights into how our solutions meet these needs. This collaborative approach allows us to deepen our relationships, gain direct feedback, and refine our solutions to align with the evolving demands of the industry.
Upwind’s presence at Black Hat is part of a broader strategy to build trust and establish ourselves as an innovative force in cybersecurity. Through these in-person interactions, we aim to demonstrate our commitment to tackling the toughest security challenges, positioning Upwind as a trusted partner and thought leader in the cybersecurity space. For anyone reading this who would like to set up a meeting with Upwind to learn more about our product and how we are helping our customers run more securely and efficiently, you can reach out to us at hello@upwind.io.
