Events
CypherCon 2026
CypherCon is Wisconsin’s premier technology and hacker conference, bringing together cybersecurity professionals, tech enthusiasts, and innovators to share knowledge and explore cutting-edge ideas. With engaging keynotes, interactive workshops, and creative challenges, it fosters a collaborative and vibrant community.
Josh Bressers, Anchore’s VP of Security, will be presenting a session on Thursday April 2 – WTF is going on with CVE?.
Join Anchore Open Source Team: Live Stream
Join us on Thursdays for “Open Source Gardening,” a live stream where the Developer Relations team works with the Engineering minds behind Anchore’s open-source tools, Syft, Grype, and the rest of the family.
We will spend a relaxed hour working on issues and pull requests. There will be technical discussions, some roadmap planning, and audience questions. Every week we stream live on the Anchore YouTube channel.
Beyond the SBOM: Defending the Software Supply Chain Against Modern Attacks
Modern enterprises increasingly depend on sprawling software ecosystems – commercial tools, open‑source components, cloud services, and vendor‑managed infrastructure. While SBOMs have become a critical step toward transparency, they are not enough to keep pace with today’s accelerated exploitation cycles. Attackers now weaponize vulnerabilities within hours, automate reconnaissance across dependency chains, and target infrastructure layers that sit well beyond the reach of traditional software inventories. This session brings together experts who will unpack how adversaries are exploiting the gaps between software, infrastructure, and vendor ecosystems – and what organizations can do to close them. We’ll explore how to operationalize SBOMs, strengthen pre‑deployment controls, harden infrastructure dependencies, and build a continuous monitoring posture capable of detecting and mitigating risk at enterprise scale.
Learning Objectives
- Understand why SBOMs alone cannot defend against modern supply chain attacks and how adversaries exploit infrastructure, identity, and deployment pathways.
- Identify practical methods to evaluate and mitigate vendor and open‑source risks before software is purchased, deployed, or integrated into critical workflows.
- Learn how to collaborate effectively with vendors to remediate vulnerabilities, validate security claims, and maintain trust throughout the software lifecycle.
- Explore continuous monitoring strategies that provide real‑time visibility into emerging risks across both software and infrastructure supply chains.
The Challenges of 3rd Party Software Risk, From Contributions to Consumption
Everyone is talking about the risks of AI in our supply chains. But in reality, AI is just introducing an old problem at a terrifying new speed: 3rd-party risk. So how do you trust code you didn’t write?
Oldschool hard-earned lessons of securing traditional 3rd-party software are still valid for today’s fastest-moving AI era.
Join our expert panel as they discuss:
- How to trust upstream contributions when maintainers are flooded with AI-generated PRs and bug reports?
- How to move past static SBOMs to drive actual risk and security decisions?
- Can we safely ingest and manage 3rd-party code without killing developer velocity?
From Paperwork to Provenance: Navigating the FedRAMP 20x Pivot
The “standard” FedRAMP playbook has been rewritten. With the full-scale rollout of FedRAMP 20x in 2026, the program has officially shifted from static, narrative-based documentation to a model of continuous validation and machine-readable evidence. For security engineering teams, this isn’t just a policy update—it is a fundamental change in how cloud-native architectures must be built, audited, and maintained.
Together with InfusionPoints we dissect the new FedRAMP 20x milestones to answer the “how” of engineering for federal scale in the age of AI and automated GRC.
Key Discussion Points
- The Key Security Indicators (KSIs) Shift: How to move from “writing a policy” to “streaming a metric.”
- 2026 AI Governance Overlays: What does “trustworthy AI” look like in a machine-readable authorization package?
- Legacy Rev5 vs. 20x Validated: When to switch from “Certified” (Rev5) path to “Validated” (20x) to avoid the 2027 end-of-life for legacy submissions.
- Automation-First Architecture: Engineering your CI/CD pipelines to output OSCAL-compliant logs that satisfy the new machine-readable submission requirements (RFC-0024).
- The “No-Sponsor” Strategy: How to bypass the agency-sponsor bottleneck by leading with technical maturity.