Keynotes

Guardians of the Chain: Past Lessons and Future Threats in Software Security

Justin Cappos is a professor in the Computer Science and Engineering Department at New York University. He is a creator of a variety of software supply chain technologies used to protect millions of devices, including TUF, Uptane, and in-toto. Working with his collaborators, he has also contributed to security architectures used in Git, reproducible builds, major Linux package managers, popular programming language ecosystems, legal repositories, automobiles, medical devices, and more. Due to the depth and breadth of these contributions — along with, perhaps, a few gray hairs — he is sometimes called “father of software supply chain security”.

Software powers the modern world. However this software is built with a variety of technologies including IDEs, compilers, dependencies, packaging infrastructures, and (increasingly) agentic systems. These technologies form the software supply chain we all rely on to turn the code we write into working software that helps millions of people.

The security of the software supply chain has moved from a niche problem to a critical part of modern software infrastructure. This keynote gives an overview of the field of software supply chain and the on-going efforts to secure it. It also addresses the rapid change this field is going through due to the influx of powerful AI agents (such as Mythos) and how industry and academia are trying to shape a more secure future.

Justin Cappos

New York University, USA

Hafsteinn Baldvinsson

CERT-IS, Iceland

Attribution at Home: Lessons from Unmasking a Prolific Phishing Group

Hafsteinn Baldvinsson is a specialist at CERT-IS, Iceland. His career spans over two decades in various IT related roles at some of Iceland’s largest companies. He began his career as a software engineer for Síminn, a large ISP in Iceland, creating and maintaining various backend systems which also gave him his first introduction to cyber security. After a brief stint at various companies ranging from start-ups to leading companies, where cyber security was always a passion for him, he joined the Icelandic CERT team. The team, CERT-IS, was at that time a small division within the Electronics Communication Office of Iceland but as the significance of cyber security increased globally the team was moved to the Ministry for Foreign Affairs in 2025 signaling the teams essential role within national defense. At CERT-IS, he is a part of the the Incident Response teams and has been a member of some of the teams key projects and is now the project manager for the national SOC that is expected to become operational at the end of 2026. His work sits at the intersection of technical operations, strategic planning, and international cooperation.

As state-of-the-art AI models have become accessible to cyber criminals, the world has seen a boom in phishing-related activity. This talk will give a first-hand account of how trivial it can be to track a phishing campaign and unmask its operators—without a single court order. Using a real-world example, the speaker will explain how he uncovered the identities of an active phishing group, what it was like working with law enforcement, the legal and procedural hurdles faced, and the broader lessons that apply far beyond this single case.

Scroll to Top