ConversingLabs Podcast

Predictions For Software Supply Chain Security In 2026

ReversingLabs — Thu, 12 Feb 2026 08:30:00 -0500

In this episode of ConversingLabs Podcast, host Paul Roberts interviews ReversingLabs Chief Trust Officer Saša Zdjelar about the recent Notebook++ hack and what he thinks software supply chain security will look like in 2026. The two will also discuss the findings of RL’s fourth annual report on the subject, which offers six predictions for how threats will evolve, as well as how security teams will respond. Also, Saša will share his take that the technology industry needs to move away from a “move fast and break things” mindset in order to best secure software supply chains.

Read Saša's commentary for Cyber Scoop here: https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/
Read the 2026 Software Supply Chain Security Report here: https://www.reversinglabs.com/sscs-report

Can Frameworks Stop Supply Chain Attacks?

ReversingLabs — Thu, 04 Dec 2025 08:00:00 -0500

In this episode of ConversingLabs Podcast, host Carolynn van Arsdale welcomes North Carolina State University Professor Laurie Williams and Ph.D. student Sivana Hamer to discuss their team’s research on the effectiveness of software supply chain security (SSCS) frameworks. Their study, “Closing the Chain,” (PDF) found that software products would still be vulnerable to attacks like SolarWinds, Log4j and XZ Utils – even if they fully enforced 10 well-known SSCS frameworks published by government, industry, academia and open source.

The State of Vulnerability Management

ReversingLabs — Wed, 05 Nov 2025 08:00:00 -0500

In this episode of ConversingLabs, host Paul Roberts interviews Casey John Ellis, founder of Bugcrowd, about the state of vulnerability management and bug bounties in 2025. Casey shares his insights on current changes impacting both the threat landscape and the cybersecurity industry, such as matters at the federal level and increased AI usage. Looking at the future, Casey also mentions how important it is to welcome the next generation into cybersecurity.

Who Will Maintain Open Source’s Future?

ReversingLabs — Tue, 14 Oct 2025 08:00:00 -0400

In this episode of ConversingLabs, host Paul Roberts interviews Abigail Cabunoc Mayes, who is responsible for Open Source Maintainer Programs at GitHub – the world’s leading development platform – about the uncertainty of open source’s future. This uncertainty is caused by a steady decline in Gen Z maintainers, which presents a major software supply chain security risk. Abigail will explain how in order to welcome and retain young maintainers, the OSS community must understand the perspectives of Gen Z, and ensure their needs are met. She will also walk through actions that the community can immediately take to address this growing uncertainty.

Read Abigail's blog post on the topic here: https://github.blog/open-source/maintainers/who-will-maintain-the-future-rethinking-open-source-leadership-for-a-new-generation/

Security Badging Open-Source Projects

ReversingLabs — Thu, 21 Aug 2025 08:00:00 -0400

In this episode of ConversingLabs, host Carolynn van Arsdale interviews Kadi McKean, Community Manager at ReversingLabs, to discuss a new initiative aimed at securing the open source software supply chain: the Spectra Assure Community Badge. As a result of threat actors continuing to target open source software (OSS) platforms like PyPI and npm, it’s become increasingly difficult for developers to avoid malicious packages. Kadi explains how this new, free badging system can help the community quickly identify which open source projects meet the most rigorous security standards. If you're a maintainer and want to work with Kadi, email community@reversinglabs.com.

Aviation Has A Software Problem

ReversingLabs — Thu, 10 Jul 2025 08:00:00 -0400

In this episode of ConversingLabs, host Paul Roberts interviews Jiwon Ma, Senior Policy Analyst at the Foundation for Defense of Democracies (FDD), about her recent report that addresses the urgent cybersecurity challenges facing the aviation industry. The report, "Turbulence Ahead: Navigating the Challenges of Aviation Cybersecurity" (PDF), analyzes a number of factors that are putting U.S. aviation infrastructure at increasing cyber risk, including how weaknesses in the software supply chain pose serious risks to the industry.

The Threat of Package Hallucinations

ReversingLabs — Tue, 01 Jul 2025 07:30:00 -0400

In this episode of ConversingLabs, host Paul Roberts interviews Major Joe Spracklen, a PhD student at the University of Texas at San Antonio, who recently published a paper with his peers regarding the threat posed to software supply chains caused by code-generating Large Language Models (LLMs). The paper, “We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs” (PDF), discusses how the rise of these LLMs can create package hallucinations that arise from fact-conflicting errors – representing a novel form of package confusion attack.

Going Back to Basics to Thwart Attacks

ReversingLabs — Thu, 08 May 2025 09:55:00 -0400

In this episode of ConversingLabs, host Paul Roberts interviews Chuck McWhirter, principal solutions architect at ReversingLabs, about the importance of sticking to basics when it comes to thwarting attacks from adversaries. Chuck recounts his experiences in both the public and private sectors, including his efforts in securing the 2002 Olympics – back when the Security Operations Center (SOC) had not yet evolved. The details of Chuck’s journey shed light on how enterprise security teams can better handle the cyber threats stemming from nation-state adversaries. By minimizing cybersecurity tool sprawl and alert fatigue, as well as assessing situational risk, Chuck argues that security teams stand a better chance against attackers.

AppSec Girl Power

ReversingLabs — Thu, 10 Apr 2025 08:00:00 -0400

In this episode, host Carolynn van Arsdale interviews Tanya Janca (aka SheHacksPurple), a world-renowned application security (AppSec) leader, author, speaker and educator. In addition to having multiple bestselling books, such as ‘Alice and Bob Learn Secure Coding,’ Janca is the founder of We Hack Purple and leads education and community for Semgrep. In their conversation, they discuss how Janca’s career embodies AppSec Girl Power: Beginning from her start as a software developer, up to her current success as a prominent thought leader in AppSec and secure coding philosophy.

Subscribe to Tanya's newsletter here, and if you're an AppSec professional, take her survey here.

Find Tanya on social media:

Cybersecurity's Double-Edged Sword

ReversingLabs — Wed, 26 Mar 2025 09:42:40 -0400

In this episode of ConversingLabs, host Paul Roberts chats with Malcolm Harkins, Chief Security and Trust Officer at HiddenLayer, about cybersecurity’s double-edged sword: artificial intelligence (AI). Harkins will discuss what HiddenLayer has discovered in regards to AI-based threats to software supply chains, including research about DeepSeek R1. The two will also identify which enterprise security tools lack the means to spot these developing threats. Finally, they’ll consider whether or not AI itself can be a part of the solution in out-pacing threat actors’ utilization of these risks.

The Evolution of Threat Intel

ReversingLabs — Mon, 17 Mar 2025 14:37:37 -0400

In this episode of ConversingLabs, host Paul Roberts chats with Jason Valenti, director of product at ReversingLabs, about the evolution of threat intelligence and the growing role it’s playing in cyber defense. A former IT specialist at the FBI and director of product management at the firm CrowdStrike, Jason will touch on his journey prior to his RL career and his work to promote the use of threat intelligence in both the public and private sectors. Jason will also talk about the epidemic of sophisticated cybercriminal and nation state hacking campaigns and how enterprise security teams can leverage threat intel to contextualize- and push back against these pressing threats.

You can find Jason on LinkedIn here.

Hackers Hacking Hackers

ReversingLabs — Tue, 01 Oct 2024 08:00:00 -0400

In this episode, host Paul Roberts chats with Security Researcher Sam Curry about his own experience being hacked via the Internet of Things and how it led to a shocking discovery regarding modem security. More broadly, the conversation touches on how APIs can leave consumers vulnerable, the increasing popularity of IoT attacks, and how to mitigate such risks.

Check out Sam's blog post about his modem getting hacked here: https://samcurry.net/hacking-millions-of-modems

Learn more about Sam and Ian Carroll's research on airport security here: https://ian.sh/tsa

The Past, Present & Future of SBOMs

ReversingLabs — Tue, 10 Sep 2024 06:00:00 -0400

In this episode, host Paul Roberts chats with Beau Woods, Founder & CEO of Stratigos Security, about the history of the software bill of materials (SBOM) – from its beginnings, to its modern-day use, to efforts underway to adapt it for the future. SBOMs have exploded in popularity within the past two years, and are oftentimes considered synonymous with software supply chain security. However, SBOMs are not a new tool, and while they’re important – they certainly aren’t the end-all-be-all for mitigating modern threats to software supply chains. Woods will explain in this conversation how SBOMs have taken center stage in 2024, and how they will continue to impact the future of cybersecurity.

Is Cybersecurity Ready for the SolarWinds Prosecution?

ReversingLabs — Wed, 22 May 2024 08:00:00 -0400

In this episode, host Paul Roberts chats with Tarah Wheeler, CEO of Red Queen Dynamics, about her recent Council on Foreign Relations piece regarding what the U.S. SEC’s prosecution of SolarWinds and new disclosure rules mean for the cybersecurity industry at-large. Wheeler believes that these new moves from the Commission emphasize the concept of “materiality” in cyber - graduating the industry to a level of enterprise risk it has never experienced before.

Chinese APT Group Exploits SOHO Routers

ReversingLabs — Wed, 03 Apr 2024 09:00:00 -0400

In this episode of the ConversingLabs podcast, host Paul Roberts chats with Daniel Adamitis, a Principal Information Security Engineer at Lumen Technologies’ Black Lotus Labs. They discuss his team’s discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers, which is being used by a Chinese nation-state backed APT group as a covert data transfer network. The group, known as Volt Typhoon, is also well known for targeting U.S. critical infrastructure.

Securing Medical Devices with SBOMs

ReversingLabs — Wed, 27 Mar 2024 08:00:00 -0400

In this episode, host Paul Roberts chats with Kevin Fu, an Electrical & Computer Engineering Professor at Northeastern University, about the new federal standards for the cybersecurity of medical devices, which includes the submission of software bills of materials (SBOMs) to the FDA. The two will discuss the new mandates for medical device manufacturers, as well as key takeaways for how these organizations can improve their software supply chain security programs.

The LockBit Takedown: What We Know

ReversingLabs — Fri, 15 Mar 2024 08:00:00 -0400

In this episode, host Paul Roberts chats with Ali Khan, Field CISO at ReversingLabs, about the recent takedown of the LockBit ransomware group, which is considered to be one of the most prolific cybercrime groups globally.

The State of Software Supply Chain Security 2024

ReversingLabs — Wed, 28 Feb 2024 12:30:00 -0500

In this episode, host Paul Roberts chats with Karlo Zanki, a Reverse Engineer at ReversingLabs, about the state of software supply chain security in 2024. The two will review key findings on the software supply chain threat landscape in 2023, as well as what security and development teams can expect from malicious actors in 2024. Zanki will also highlight several of the major software supply chain security incidents discovered by RL threat researchers in the past year.

The State of Open Source Software Security

ReversingLabs — Thu, 05 Oct 2023 15:49:49 -0400

In this episode, host Paul Roberts chats with Mikaël Barbero, Head of Security at the Eclipse Foundation, about the state of open source software security. Eclipse has been around for more than two decades and has for a long time prioritized the mitigation of threats to open source projects. In their conversation, Mikaël chats with Paul about where Eclipse stands today, what current threats are being posed to open source repositories, as well as how nation-states and international organizations are working to combat these threats.

Apple Devices as a Growing Attack Vector

ReversingLabs — Wed, 27 Sep 2023 10:01:21 -0400

In this episode, host Paul Roberts chats with Devin Byrd, Director of Threat Intelligence at Kandji on the sidelines of the 2023 Black Hat USA conference. In their conversation, Byrd discusses how Kandji has grown into a major security provider for macOS users, and how the attack vector for macOS and iOS users has increased in recent years. He explains that only dealing with adware and junkware on these devices was a thing of the past, but now, macOS devices are being targeted with malicious back doors and even software supply chain attacks.

The Art of Security Chaos Engineering

ReversingLabs — Wed, 20 Sep 2023 14:45:45 -0400

In this episode, host Paul Roberts chats with Kelly Shortridge, a Senior Principal at Fastly, on the sidelines of the 2023 Black Hat USA Conference. In their conversation, they discuss her new book, Security Chaos Engineering: Sustaining Resilience in Software and Systems, as well as her Black Hat talk, “Fast, Ever-Evolving Defenders: The Resilience Revolution.”

Modern Risks to the Internet of Things and Software Supply Chains

ReversingLabs — Wed, 13 Sep 2023 11:29:40 -0400

In this episode of ConversingLabs, host Paul Roberts chats with Thomas Pace, the CEO & co-founder of the firmware security firm NetRise. Thomas and Paul talk about the shifting ground of threats and attacks as the Internet of Things grows and works its way into homes, businesses and industries - including critical infrastructure. They also talk about the growing specter of software supply chain threats and attacks.

Lemons & Liability: What it Means for Software Applications

ReversingLabs — Wed, 06 Sep 2023 10:16:54 -0400

In this episode, host Paul Roberts chats with Daniel Woods, a Cybersecurity Lecturer at The University of Edinburgh on the sidelines of the 2023 Black Hat USA conference about his briefing: “Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation.”

Creating the Standard for Supply Chain Risk

ReversingLabs — Wed, 21 Jun 2023 12:59:00 -0400

In this episode, host Paul Roberts chats with Robert Martin of MITRE and Cassie Crossley of Schneider Electric about their session at this year’s RSA Conference. They explained how MITRE’s System of Trust can serve as a standard for software supply chain risk. The two also chatted with Paul about the greater issues facing software supply chains today, such as standardization and transparency.

How Do You Trust Open Source Software?

ReversingLabs — Wed, 14 Jun 2023 12:55:23 -0400

In this episode, host Paul Roberts chats with Naveen Srinivasan, an OpenSSF Scorecard Maintainer, about his talk at this year’s RSA Conference on how to better trust open source software. In their conversation, Naveen explains how the OpenSSF Scorecard tool can help developers understand the security posture of open source dependencies.

The State of Application Security

ReversingLabs — Thu, 01 Jun 2023 09:02:10 -0400

In this episode, we interview Chris Romeo, CEO of Kerr Ventures and long-time application security (app sec) practitioner on the sidelines of the 2023 RSA Conference. He gives a rundown on the state of app sec and comments on other software threats posed to organizations today.

Red Teaming the Indian Government

ReversingLabs — Tue, 23 May 2023 09:24:54 -0400

In this episode of ConversingLabs, host Paul Roberts chats with John Jackson, a security researcher, about the work he and research group Sakura Samurai did in looking at exposed secrets and other threats on Indian government websites.

SBOM skeptics and talks about the importance of software supply chain transparency

ReversingLabs — Wed, 10 May 2023 16:41:06 -0400

In this special Café edition of ConversingLabs, host Paul Roberts interviews Joshua Corman, the Vice President of Cyber Safety Strategy at Claroty and the Founder of I Am The Cavalry on the sidelines of the RSA Conference 2023 in San Francisco. Josh speaks with Paul about his RSAC track session, The Opposite of Transparency, which takes on skepticism of software bill of materials (SBOMs) and makes an argument for greater transparency around software supply chain risk.

Malware & Software Supply Chain Security

ReversingLabs — Thu, 27 Apr 2023 08:00:00 -0400

In this special edition episode of ConversingLabs, host Paul Roberts interviews ReversingLabs Director of Product Management, Charlie Jones, on the sidelines of the 2023 RSA Conference in San Francisco. Charlie speaks with Paul about his RSAC track session: The Rise of Malware Within the Software Supply Chain.

Contextualizing the National Cybersecurity Strategy

ReversingLabs — Wed, 26 Apr 2023 11:30:00 -0400

In this episode, host Paul Roberts chats with Devin Lynch, Director of Supply Chain and Technology Security for the Office of the National Cyber Director, about the National Cybersecurity Strategy released by the White House last month. They discuss the motivations behind this policy move, what its impact will be in the short and long term, as well as what else the federal government plans to prioritize in this area. Lynch also details upcoming plans the federal government has to better secure open source software as a part of the greater effort to secure software supply chains.

The Future of Bug Bounties

ReversingLabs — Wed, 19 Apr 2023 12:00:00 -0400

In this episode, host Paul Roberts chats with Katie Mousourris, CEO and Founder of Luta Security. Mousourris has a robust background in creating and running bug bounty programs as well as professional hacking. In their conversation, she discusses the evolution of professional hacking and how important bug bounty programs have become to the cybersecurity field. She also highlights the problems these programs have faced as well as how they can help identify risks in other spaces like software supply chains. Finally, Mousourris paints a picture of what the future holds for bug bounties and the place of professional hackers.

The Road to Software Supply Chain Security Compliance

ReversingLabs — Wed, 29 Mar 2023 12:05:23 -0400

In this episode, host Paul Roberts chats with Steve Lasker, a former Azure Program Manager with over 20 years of experience at Microsoft. Lasker touched on his industry experience to explain how the effort to secure software has evolved into what it is today. He then explained how government standards for software supply chain security globally will benefit the industry, and will cause a great shift in the market. He points out that the software providers who meet the greatest possible compliance in this area will succeed, given the concern that companies now hold over software supply chain attacks, as well as being held liable for them.

The Silent Epidemic of Business Email Compromise (BEC) Attacks