As organizations expand their reliance on third-party providers, insider threats—whether driven by malice or mistake—become increasingly difficult to detect and control. This session, presented in collaboration with the CERT Division’s Insider Threat Center and Risk Management team, explores the critical intersection of insider risk and supply chain security. Using real-world examples, the session will highlight the challenges of monitoring and mitigating threats from both internal actors and Trusted External Entities (TEEs).

In this session you will:

• Examine real-world insider incidents that reveal how third-party relationships can expand attack surfaces
• Learn strategies to integrate insider threat considerations into enterprise-wide risk management programs
• Discover tools and metrics to help build, assess, and maintain a trusted ecosystem of external providers

As uncrewed aerial systems (UAS) become integral to critical industries, robust cybersecurity measures are essential. This session addresses the challenges of UAS security, autonomy in next-gen drones, and the collaborative efforts of public-private partnerships. Industry initiatives to standardize Advanced Air Mobility (AAM) promise to revolutionize transportation with drone taxis, cargo drones, and smart aerial networks. However, securing these systems against cyber threats is crucial.

In this session you will:

• Explore real-world cybersecurity threats to UAS
• Discover cutting-edge security research
• Understand how these advancements will reshape cybersecurity for aerospace and critical infrastructure

Traditional third-party risk management (TPRM) relies heavily on lengthy security questionnaires—but are they truly improving security, or simply generating administrative burden for both vendors and security teams? As vendor ecosystems scale into the thousands, the conventional model of static assessments is proving outdated and ineffective. In this session, Chuck Kesler, CISO at Pendo, draws on his unique experience as both customer and vendor to share how his approach to TPRM has evolved—especially with the adoption of AI-driven tools that streamline processes and improve outcomes.

In this session you will:

• Discover how to assess and monitor vendors more effectively using risk-tiering, AI tools, and embedded contract requirements
• Learn how vendors can proactively reduce assessment fatigue, demonstrate security maturity, and build trust through transparency
• Explore forward-looking ideas like automated vendor monitoring, GRC integrations, and improving the value of third-party security "credit scores"

Large language models (LLMs) like ChatGPT are transforming the landscape of software development and evaluation, though claims of AI replacing programmers are often overstated. This session delves into the core technologies of LLMs and their role in software generation and assessment, emphasizing the influence of training data that includes insecure coding practices. We share insights from analyzing over 100 million lines of code in languages such as C, C++, and Java using tools like ChatGPT 3.4, ChatGPT 4, and CoPilot. Participants will gain a comprehensive understanding of the advantages and potential pitfalls of LLMs, strategies for mitigating associated risks, and foresight into the future of secure AI-driven software development.

In this session you will:

• Gain insights into the foundational technology and capabilities of LLMs in software evaluation.
• Identify the risks and benefits of integrating LLMs into software development processes.
• Explore effective strategies to mitigate risks and promote secure LLM applications.