C4DT Conference on Software Supply Chain Security

March 30th, 2023, Swiss Tech Convention Center, EPFL

The past two years saw a new vulnerability make headlines: software supply chains. Events such as the  SolarWinds and Kaseya cyberattacks or the discovery of the Log4j vulnerability forced organizations to reevaluate their cyber risk exposure.

This one-day conference provides a platform for academia, government, business, NGOs and standard-setting bodies to shed light on software supply chain risks, to outline persisting challenges, and to discuss mitigation tactics, solutions, and best practices as well as emerging frameworks and standardization initiatives.

This event is organized by the Center for Digital Trust (C4DT).


For on-site participation:

The on-site event is limited to approx. 80 attendees and preference will be given to the C4DT community. Nevertheless, you may apply for a spot via the “request onsite participation” button. You will receive an email to confirm your participation. On-site participation will allow you to interact with the speakers and network with peers. A standing lunch and coffee will be provided for all on-site participants.

For online participation:

The conference will be streamed live via Zoom. To register and obtain your link for the webinar please click on the “Zoom Link” button. Registration is free but mandatory.



Welcome Coffee


Welcoming Words

Part 1: Understanding the risks landscape

We face a complex web of interdependence for both hardware and software. A supply chain of software code is behind any application or service delivered. And that software supply chain is only as strong as its weakest link – with attackers taking advantage of any weaknesses. Where do the key software supply chain vulnerabilities lie? How might we understand the threat actors’ mindset?


Introductory talk: Setting the scene on software supply chain risks

by Prof. Mathias Payer, Head of the HexHive Lab, EPFL


Talk: Inside the hacker’s mind – How do criminals operate? 2010 versus 2023

by Ege Balci, Threat Intelligence Team Lead, Prodaft


Talk: Inside the hacker’s mind – Learning from the case study on the TA551 group

by Berk Albayrak, Threat Intelligence Analyst, Prodaft


Networking coffee

Part 2: Exploring the challenges

What are the main barriers to mitigating software supply chain vulnerabilities? From software developers across suppliers to customers: What are the key challenges they are facing and how are they addressing them? A focus on open source software security will provide additional insights and help to explore different perspectives.


Panel: Insights from three stakeholder groups – software developers, suppliers and customers

What are the key challenges different stakeholders are facing in advancing software supply chain security and how are they addressing them?

Moderated by Daniel Saraga, Founder, Saraga Communications


Alban Hessler, Senior Manager Advisory and Professional Services, ELCA Security

Siddhartha Rao, Vice President, Product Security, SAP

Mauro Vignati, Adviser Digital Technologies of Warfare, International Committee of the Red Cross (ICRC)


Talk: Open Source Software Supply Chain Security

by David A. Wheeler, Director of Open Source Supply Chain Security, Linux Foundation

On average 80%-90% of the components of today’s software are open source software (OSS). This presentation will discuss OSS supply chain security, including the most common attacks and countermeasures against them. It will especially focus on the work being done by the Linux Foundation Open Source Security Foundation (OpenSSF) to improve OSS supply chain security, including Supply chain Levels for Software Artifacts (SLSA), concise guides, education, scorecards, best practices badge, sigstore (for digital signing and verification), and giving multi-factor authentication (MFA) tokens to some widely-used OSS projects.


Talk: Open source software security and threat detection – an entry point for assault or remedy?

by Alexandre Dulaunoy, Core Team Member, MISP, and Security Researcher, Computer Incident Response Center Luxembourg (CIRCL)


Networking lunch

Part 3: Implementing solutions and best practices


Talk: Building better foundations for secure software systems

by Prof. Shweta Shinde, Head of the Secure & Trustworthy Systems Group, ETH Zürich


Panel: Advancing the practical implementation of SBOMs and international standards

Moderated by Prof. Mathias Payer, Head of the HexHive Lab, EPFL


Hakim Mkinsi, Technical Programme Manager, ISO

Christoph Plutte, Master Security Specialist, Ericsson Product Security Incident Response Team, Ericsson

Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation


Networking coffee

Part 4: The Future of software supply chain security


Keynote: [Title to be confirmed]

by Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration


Panel: Exploring the future of software supply chain security

From public-private collaboration across geopolitics to new approaches to data and information supply chain security or an evolving view of open source libraries as critical infrastructure, what factors will impact the future of software supply chain security?

Moderated by Daniel Saraga, Founder, Saraga Communications


Tony De Bos, VP of Global Advisory, Kudelski Security

Stéphane Duguin, Chief Executive Officer, CyberPeace Institute

Prof. Mathias Payer, Head of the HexHive Lab, EPFL

Florian Schütz, Federal Cyber Security Delegate, Swiss Federal Administration


Wrap up and thank you


Conference end