Every year, RSAC attempts to spotlight the newest security industry trends, challenges, and opportunities of the year for one full week. A week that has the potential to fundamentally shift the way companies re-engineer their approach to security. So what did this year’s conference unearth for attendees as items to keep an eye on?
The Security of the Software Supply Chain is More Important Than Ever
The software supply chain is getting more complex, with teams using more tools than are sustainable, and developers are being asked to do more with limited bandwidth. The result: the developer’s tools are a new attack vector for bad actors. Additionally, our recently published JFrog Software Supply Chain State of the Union 2025 report showed that over 70% of developers download software packages directly from public registries, without any filtering of vulnerable or malicious packages. This risky practice can expose an entire organization to attacks through a single developer’s machine. When coupled with a 27% YoY increase in the number of CVEs discovered, IT and security teams have their work cut out for them when it comes to building a front-line software supply chain defense strategy.
Luckily, RSAC insights seemed to indicate that security teams are trying to move to unified platforms to help ease the security burden on developers, augment and automate more security check points throughout the SDLC to help ensure software supply chains remain secure.
Now is the Time to Move to Proactive, Holistic Approaches to Risk Management
We, as CISOs, have known this for some time, but this year’s RSAC has driven home, for the wider industry, that having a reactive approach to security is “a career-limiting move” and not recommended. DevSecOps teams must move to proactive risk management programs that include continuous monitoring, policy-enforced security requirements at every stage, and tailored incident response plans for supply chain scenarios. Thankfully, RSAC experts noted the importance of DevSecOps best practices like software bill of materials (SBOMs) and having an end-to-end platform approach coupled with an effective process flow model to provide multiple levels of security and drastically reduce reactive security behaviors.
Transparency and Traceability are Need-to-Haves, Not Nice-to-Haves
Traceability and visibility are the lifeblood of a successful software supply chain, but as the supply chain becomes more complex, these two things also become more difficult to achieve. Teams need clear visibility and access to understand a software solution’s genealogy throughout its entire build and update cycles. Though we know this as a tenant of software supply chain security, this year’s RSAC emphasized that the industry needs to overcome the hurdles of complexity. Yet, I don’t feel the industry is well-equipped to do that right now.
I anticipate we will move closer to an answer by RSAC 2026, but the industry needs to focus more attention here immediately, no question.
Agentic AI is More than a Buzzword – Or is It?
You couldn’t get across the expo floor at RSAC this year without hearing the word “agentic AI.” In the context of the software supply chain, I approach agentic AI with cautious optimism, but also with a bit of (welcomed) paranoia. I think we should all do the same.
AI-powered tools are transforming supply chain security, enabling faster code development and identifying coding vulnerabilities. However, agentic AI can introduce unknown risks that require diligent oversight. While a core promise of agentic AI is its ability to defend against threat actors who are, ironically, also using more AI-driven attack methods to bypass all security measures, it’s also entirely possible that using agentic AI as part of your security strategy may introduce even more problems. When it comes to these emerging technologies, the fact is, we still don’t know what we don’t know, and securing one’s software supply chain is not an area where we can afford much trial and error.
AI/ML development is no different than any other software development process. Thus, enterprises need to adopt the same concepts that have traditionally applied to all software development: establishing developer-friendly workflows with strong security, robust governance, and full lifecycle management. ML models are just like software binaries, and they must be managed as first-class software artifacts. If we move too fast with agentic AI, we may bypass these needed elements.
I have hope for agentic AI’s future, but in the short-term I implore all CISOs and security decision makers to ask for hard outputs, demonstrated ROI and well-defined controls before investing in an agentic AI system.
Same Time Next Year?
RSAC is one of the best times of the year to learn about the next frontier of our industry. I left this year’s event feeling enriched and excited for what is to come in 2026, but also very aware of all the work we have left to do before we can say “we’ve got this.” The threat landscape is increasing, attackers are becoming more sophisticated, our technology is too, but that can also cause problems, and we’re creating more apps and more systems daily, without increasing the corresponding number of developers needed to safely manage them. We’re moving in a positive direction and discovering more than ever about what we need to stay secure, but we still have work to do.
Paul Davis is a distinguished IT security leader with over 20 years of experience shaping secure solutions for organizations worldwide. His career highlights include serving as CISO for a Fortune 10 company, CSO for critical infrastructure sectors, Director of Security Operations at a major stock exchange, and head of a global incident response team. In his role as Field CISO at JFrog, Paul draws on this extensive expertise to help organizations strengthen their software supply chains and implement end-to-end security. His background encompasses systems engineering, program management, software development, and operations. Paul has successfully launched software companies, developed innovative solutions, and delivered transformative services for global enterprises.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.