RSAC 2025 Recap: Software Supply Chain Security Takes Center Stage

The RSA Conference 2025 at the Moscone Center in San Francisco on April 28 – May 1, brought together over 44,000 cybersecurity professionals from around the world. This year’s event, marking the 34th annual flagship conference, placed significant emphasis on software supply chain security and secure software development lifecycle (SDLC) practices. From the keynotes, speaking sessions, and 1:1 conversations I had on the show floor, there were eight key themes that came up over and over again.

Software supply chain security highlights

Here’s a brief overview of the key developments and trends presented and discussed at the conference.

There are too many tools

The conference highlighted concerns about the expanding vendor ecosystem and the risks of over-relying on third-party tools for critical services. Our latest Software Supply Chain State of the Union report confirms this trend hasn’t improved—70% of organizations surveyed still use seven or more tools to secure their software supply chains, and half use 10+ tools.

Walking through the expo halls, I encountered a number of new and exciting solutions. While it may be tempting to look at all those new tools and imagine them in your own toolbox, I’d recommend stepping back for a gap analysis to ensure you’re not taking on more than what’s necessary. Remember that all tools, no matter how shiny, require careful integration into your existing process flow.

The software supply chain remains a top attack vector

The 2025 conference highlighted how both open source and commercial software supply chains remain prime targets for attackers. Recent high-profile incidents in 2024, from OSS projects like XZ Utils to commercial vendors, demonstrate the ongoing risks of managing dependencies and vulnerabilities throughout the software ecosystem. Keep in mind that complexity introduces unwanted risk, making streamlined approaches more effective.

There’s a shift toward proactive, holistic risk management

Experts emphasized the importance of moving beyond reactive security. Organizations should implement proactive risk management programs that include continuous monitoring, policy-enforced security requirements, and tailored incident response plans for supply chain scenarios. While a Software Bill of Materials (SBOM) and DevSecOps practices were consistently highlighted as essential foundations, speakers also stressed the need to have processes supporting an end-to-end platform approach. Of course, problems are not solved only with a platform approach – you also need a process flow model that’s effective and provides multiple layers of security.

AI and automation is a double-edged sword

AI-powered tools are transforming supply chain security, enabling faster code development and identifying coding vulnerabilities. However, the rise of “agentic AI” (autonomous agents capable of making decisions) and the rapid interest in MCP introduces new, unfamiliar risks that require careful oversight. While attackers are leveraging AI and automation to scale their attacks, defenders must also have the ability to monitor and respond at machine speed.

The challenge lies in ensuring AI-driven responses don’t become as damaging as the malicious attacks they aim to prevent. We need strong controls and foundations when designing, developing, and delivering AI-enabled solutions securely and reliably. These AI/ML solutions must be easy to manage, monitor, and protect; three traditional disciplines that need to evolve to address the unique aspects of AI/ML.

Transparency and traceability are critical

The complexity and opacity of modern software supply chains make it difficult to map dependencies and verify component integrity, especially when you remove the oversight of an experienced human to review and confirm. Teams need clear visibility and access to understand a software solution’s genealogy throughout its build and update cycles.

While emerging technologies like PQC and blockchain are being explored to provide immutable, end-to-end traceability for software components, there’s still work to be done. Based on discussions I had at the event, I believe that although there isn’t an immediate threat to SDLCs, organizations should begin planning how to automate this certification process within their software supply chains.

Unified security platforms win out over siloed tools

A growing consensus shows that fragmented, best-of-breed security solutions are no longer adequate. Organizations are shifting toward unified platforms that provide comprehensive visibility, accurate threat detection, and swift response capabilities throughout the software lifecycle. These platforms serve to reduce complexity while driving operational consistency.

Operationalizing threat intelligence remains an opportunity

The gap between collecting threat intelligence and turning it into actionable, automated responses remains a major challenge. Security teams are under pressure to enrich, prioritize, and act on threats faster, breaking down silos and embracing automation wherever possible. Ironically, it appears that organizations are only now starting to realize that the tools used to build software produce an amazing amount of information that can be used by security operations teams. In some cases, the two teams use different tools to generate the same data, and one could start asking the question: “Do we really need to generate the same data twice?”

Seek solutions that enable speed, security, and scalability

I engaged in numerous in-depth discussions focusing on the critical challenge of how to balance agility and security in software development at scale. These conversations consistently highlighted the tension between maintaining rapid development cycles while implementing robust security measures, particularly as organizations grow and their software systems become more complex. Stakeholders shared various perspectives on finding the right equilibrium between speed-to-market demands and comprehensive security protocols, emphasizing the need for scalable solutions that don’t compromise either aspect.

In summary

As always, the RSA Conference proved to be an enriching experience. I look forward to reconnecting with attendees next year to remain ahead of industry developments.

To see how the JFrog Platform can help secure your software supply chain, schedule a demo, take a tour, or start a free trial today.