More The Secure Disclosure episodes

How to Stop Supply Chain Attacks Without Destroying Developer Productivity thumbnail

How to Stop Supply Chain Attacks Without Destroying Developer Productivity

Published 14 Jul 2026

Duration: 00:35:33

"Cybersecurity threats, especially supply chain attacks on developers and open-source packages, demand balanced mitigation strategies, AI-driven security challenges, and early integration of security in development, with collaboration and adaptability key to addressing evolving risks."

Episode Description

In this episode of The Secure Disclosure Podcast, host Mackenzie sits down with Arun Singh, CISO of Tyro Payments. Drawing from his journey from an en...

Overview

The podcast discusses the evolving landscape of cybersecurity, with a focus on the rising sophistication of supply chain attacks that exploit developer endpoints, CI/CD pipelines, and open-source dependencies. A key challenge highlighted is the counterintuitive risk of rapid patching, where newly released malicious packages can be inadvertently adopted; to mitigate this, a 7-day cooldown period for package updates is suggested. The growing use of AI in both development and cyber threats is emphasized, as it accelerates vulnerability discovery and exploitation, outpacing small security teams. Collaboration across organizations remains limited due to regulatory and competitive concerns, weakening collective defense.

Effective security leadership requires balancing innovation with protection, integrating security early in development, and aligning security strategy with business goals. Security teams must understand developers' workflows to implement controls that minimize friction, using pilot testing and feedback loops to build trust. Red teaming and hands-on engagement help developers grasp real-world risks, while reliance on security tools is cautioned against due to false positives and vendor overpromising. The discussion also explores the importance of manual code review, secure dependency management, and avoiding hardcoded secrets in repositories.

The role of AI in coding is examined critically: while AI boosts productivity and acts as a "second brain" for contextual recall, full reliance on AI-generated code without understanding poses significant risks. The conversation advocates for security professionals to use the same tools as developers, including AI coding assistants, to provide actionable insights. Ultimately, security is framed as a collaborative, business-enabling function that requires technical depth, communication, and influence to effectively protect organizations amid an increasingly complex threat environment.

What If

  • What if you delayed dependency updates by 7 days to assess for malicious activity?

    • Move: Implement a manual or automated 7-day cooldown period before applying any non-critical dependency updates in your projects. Use tools like Dependabot or Renovate with delayed schedules, and monitor public repositories, security advisories, and maintainers' behavior during this window.
    • Why Now?: Malicious actors are publishing compromised packages immediately after legitimate versions, exploiting automatic update systems. The rise in supply chain attacks makes immediate updates riskier than delayed, verified ones.
    • Expected Upside: Avoid installing poisoned packages in your software, reduce emergency patching incidents by up to 60%, and increase confidence in your dependency chain without sacrificing long-term maintainability.
  • What if you adopted AI coding tools and reviewed every output line for security flaws?

    • Move: Integrate an AI coding assistant (e.g., GitHub Copilot, Claude) into your workflow but enforce a strict rule: no AI-generated code is committed without manual review focused on input validation, dependency use, secrets, and access control patterns.
    • Why Now?: AI accelerates development but also propagates vulnerabilities faster - especially in solo workflows where oversight is minimal. The window between AI adoption and breach is shrinking.
    • Expected Upside: Retain AI-driven productivity gains while reducing the risk of introducing CVEs or logic flaws; build deeper fluency in secure coding patterns through active critique of AI outputs.
  • What if you treated your local dev environment as a potential attack vector and audited it weekly?

    • Move: Run weekly audits of installed packages, cached dependencies, and secrets on your development machine using tools like Aikido, Trivy, or custom scripts. Purge unused packages and scan for .env files or credentials in local repos.
    • Why Now?: Developer endpoints are prime targets in supply chain attacks - malware can persist in cached packages or stolen secrets even if the main repo is secure. Solo developers often overlook local hygiene.
    • Expected Upside: Reduce risk of credential leakage or backdoored local dependencies compromising builds; catch misconfigurations before deployment; strengthen your position if regulatory scrutiny increases.

Takeaway

  • Implement a 7-day cooldown period before updating third-party dependencies to mitigate the risk of supply chain attacks from malicious package releases.
  • Use IDE-based application security tools (e.g., Aikido) to scan code in real time for vulnerabilities, secrets, and insecure patterns as part of the developer workflow.
  • Conduct hands-on red teaming or "vibe coding" exercises to understand developer workflows and demonstrate real-world attack impacts for more effective security integration.
  • Avoid auto-updating dependencies; instead, pin versions and conduct manual reviews to maintain control over when and how updates are applied.
  • Actively analyze code context when responding to CVEs - verify if vulnerable functions are actually used rather than reacting to tool-generated alerts blindly.

Recent Episodes of The Secure Disclosure

1 Jul 2026 Solving the Supply Chain Security & Malware Crisis w/John Amaral

Escalating software supply chain threats target open-source ecosystems through credential exploitation, AI-fueled malware, and upstream compromises, with challenges in dependency management and outdated libraries driving AI-driven remediation strategies like automated patching and version pinning, though human oversight remains critical for validating fixes.

16 Jun 2026 Your Microphone Became a Keylogger w/ David vonThenen

Machine learning analyzes keystroke acoustic signatures to infer typed characters over remote platforms, highlighting high accuracy with known keyboards, privacy risks from surveillance, and challenges in noise and variability, while proposing defenses and noting AI's dual-use implications.

9 Jun 2026 Understand the Software Supply Chain Chaos w/ Roeland Delrue

Rapidly evolving supply chain security threats, including malicious open-source components and AI-driven malware, demand advanced AI-powered solutions like Akito Securitys self-securing software and tailored tools to address vulnerabilities in developer environments and package repositories.

28 May 2026 Prompt Injection Might Never Be Solved w/ Paul Vann

The text details AI security threats like prompt injection, jailbreak attacks, and distillation attacks, along with vulnerabilities such as AI bias and autonomous agent risks, highlighting detection challenges, emerging malware, supply chain exploits, and the industry's struggle to keep pace with rapidly evolving AI technologies.

More The Secure Disclosure episodes