None
<p>The post <a href="https://blog.gitguardian.com/snowfroc-2026/">SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top</a> appeared first on <a href="https://blog.gitguardian.com/">GitGuardian Blog – Take Control of Your Secrets Security</a>.</p><p><img decoding="async" src="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/SnowFROCimage.png" alt="SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top"></p><p>Denver likes a good origin story. The city still keeps a marker for <a href="https://visitdenver.com/blog/post/cheeseburger-birthplace/?ref=blog.gitguardian.com"><u>Louis Ballast and the Humpty Dumpty Barrel, the local spot tied to the cheeseburger’s Colorado claim</u></a>. That detail felt oddly right for <a href="https://snowfroc.com/?ref=blog.gitguardian.com"><u>SnowFROC 2026</u></a>. A cheeseburger is a small upgrade that changes the whole meal. This year’s conference kept returning to the same ideas in AppSec, such as how meaningful security progress often comes from well-placed layers that make the better choice easier to make. </p><p>The Snow in "SnowFROC" is due to the time of year the event takes place and the good possibility that it will snow, <a href="https://bsky.app/profile/mdwayne-real.bsky.social/post/3mjplq47s4m2x?ref=blog.gitguardian.com"><u>which it did this year</u></a>. The other half of the name stands for Front Range OWASP Conference. This year, they expanded it into a two-day event in Denver that drew about 400 attendees to see 35 sessions, take part in 8 half-day training sessions, a CTF, and multiple village activities. The room carried that blend of practical curiosity and sharp hallway conversation that makes any security conference worth the trip. </p><p>Throughout the event, the sessions covered how software is actually built now: fast, AI-assisted, dependency-heavy, and spread across more people and systems than any one security team can fully monitor alone. The strongest sessions focused on incentives, workflows, trust boundaries, and the places where attackers keep finding leverage because defenders still leave too much to intent, memory, and good luck.</p><p>Here are just a few notes from SnorFROC 2026.</p><h2 id="the-human-layer-in-secure-defaults"><strong>The Human Layer in Secure Defaults</strong></h2><p>In the keynote from<a href="https://ca.linkedin.com/in/tanya-janca?ref=blog.gitguardian.com"><u> Tanya Janca, founder of She Hacks Purple Consulting</u></a>, called "Threat Modeling Developer Behavior: The Psychology of Bad Code," she explained that in AppSec, insecure code is rarely just a technical failure. It is usually a human one. Developers work under pressure, chase deadlines, respond to incentives, and fall back on habits, biases, and shortcuts that feel reasonable in the moment. Instead of telling people they are wrong and expecting better outcomes, AppSec teams need to understand why those choices happen in the first place. Psychology helps explain the gap between what teams say they value and what their systems actually reward.</p><p>Tanya talked about intervention and prevention over blame. Secure defaults beat secure intent because they remove friction and make the safer path the easier one. That can look like pre-commit hooks, IDE nudges, secure-by-default templates, and frequent reminders placed where decisions actually happen, not buried in a wiki. The same logic applies to training. Annual compliance sessions and lists of what not to do do not change behavior very well. Teaching secure patterns, explaining the why behind them, and reinforcing them in small daily ways is far more likely to stick. The goal is not more nagging. It is better environmental design.</p><p>Tayna shared her experiences about AI-assisted coding triggering automation bias, where people trust confident suggestions too quickly. Tight deadlines push present bias, making future breach risk feel abstract next to immediate shipping pressure. Copying code from forums, skipping tests, ignoring warnings, avoiding documentation, or showing off with clever code all follow similar patterns. </p><p>She asked us all to build systems that reward maintainable, tested, secure work and measure what actually matters, including time to fix, adoption of secure patterns, and real vulnerability reduction. If teams want secure coding to be real, they have to make it the path of least resistance.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img decoding="async" src="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-9b8dc1df-9ed9-4d7b-8e9d-fa969e3d8d20.png" class="kg-image" alt="SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top" loading="lazy" width="1000" height="753" srcset="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/size/w600/2026/04/data-src-image-9b8dc1df-9ed9-4d7b-8e9d-fa969e3d8d20.png 600w, https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-9b8dc1df-9ed9-4d7b-8e9d-fa969e3d8d20.png 1000w" sizes="auto, (min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Tanya Janca</span></figcaption></figure><h2 id="trust-has-become-a-supply-chain-primitive"><strong>Trust Has Become a Supply Chain Primitive</strong></h2><p><a href="https://www.linkedin.com/in/chris-lindsey-39b3915?ref=blog.gitguardian.com"><u>Chris Lindsey, Field CTO at OX Security</u></a>, started his talk "Inside the Modern Threat Landscape: Attacker Wins, Defender Moves, and Your Priorities," with a reminder that choosing not to act is still a choice. In today’s threat landscape, a small set of attack vectors keeps showing up in outsized breaches, including credential theft, session hijacking, phishing, typosquatting, browser extensions, DNS poisoning, and software that appears to come from trusted sources. The common thread is trust. Attackers do not usually break in by brute force alone, instead they build credibility first through a convincing email or a familiar package name, or a browser extension that looks legitimate on the surface. </p><p>Chris asked us to think in terms of what security leaders are asked by boards all the time and often struggle to answer: what did we actually get for this investment? What we need more disciplined framework for evaluating security spending based on risk reduction per dollar. That means asking better questions up front: what threat does this control address, what does it really cost once licensing, implementation, staffing, and maintenance are included, and what measurable reduction in exposure does it create? This is how you get to structured decision-making. When security teams can explain why one control was prioritized over another in terms that leadership understands, the conversation changes from vague reassurance to defensible tradeoffs.</p><p>If software and packages are still being pulled in freely, if extensions get broad permissions without scrutiny, and if reviews stop at surface-level validation, the pipeline stays open to abuse. Chris walked through examples that looked benign at first glance but revealed patterns of Trojan behavior, suspicious permissions, deceptive imports, callback infrastructure, and signs of rushed or obfuscated code. Prioritization is key. </p><p>He gave us the practical advice of what we could immediately implement: Scan software before use, review open source with stronger technical oversight, pin safe packages, and introduce cooldown periods. We must adopt a posture in which we rotate keys aggressively, sever malicious command-and-control connections urgently, and embrace AI to scale analysis where it adds real value. Attackers are operating in the real world and have no intention of reading your threat model. Your defenses need to be just as practical and reality-based.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img decoding="async" src="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-8f9ce2b3-f9b8-4cbd-a00b-c76b372e776b.png" class="kg-image" alt="SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top" loading="lazy" width="1000" height="753" srcset="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/size/w600/2026/04/data-src-image-8f9ce2b3-f9b8-4cbd-a00b-c76b372e776b.png 600w, https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-8f9ce2b3-f9b8-4cbd-a00b-c76b372e776b.png 1000w" sizes="auto, (min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Chris Lindsey</span></figcaption></figure><h2 id="npm%E2%80%99s-crisis-is-really-an-operations-story"><strong>npm’s Crisis Is Really an Operations Story</strong></h2><p>In the session from<a href="https://www.linkedin.com/in/jenngile?ref=blog.gitguardian.com"><u> Jenn Gile, founder of OpenSourceMalware.com</u></a>, called "npm's dark side: Preventing the next Shai-Hulud," she presented the last year of npm account takeovers and package compromises as a lesson in how malware now rides normal engineering behavior. Jenn drew a sharp line between two kinds of software risk: accidental vulnerabilities and intentionally malicious packages. A vulnerability is a flaw that can be exploited if an attacker has a viable path. Malicious software is built from the start to cause harm, often by targeting developers and build environments directly, and it does not always need the same kind of runtime path to do damage. Malicious code does rely, though, on abusing trust. When trust is the vector, the usual instinct to stay on the latest version can become part of the problem.</p><p>The heart of the session was account takeover (ATO) and why npm remains such an attractive target. Install scripts still run by default, and provenance is not mandatory. Long-lived publishing tokens remain common. In practice, that means attackers do not always need to break the package ecosystem itself. They can hijack trust that already exists. Jenn walked through a string of compromises from 2025 into 2026, including phishing campaigns, typosquatted domains, spoofed maintainer emails, CI and GitHub Actions token theft, and follow-on attacks that used stolen secrets to widen the blast radius. The throughline across cases like Nx, Qix, <a href="https://blog.gitguardian.com/shai-hulud-2/"><u>Shai-Hulud</u></a>, <a href="https://blog.gitguardian.com/team-pcp-snowball-analysis/"><u>TeamPCP</u></a>, and Axios was not just a technical weakness. It was how easily trusted maintainers, trusted packages, and trusted upgrade habits could be turned against the people relying on them.</p><p>Jenn explained that hardware keys help protect the human authentication path, while trusted publishing helps protect the machine path by tying publication to a specific GitHub Actions identity. Session-based authentication can reduce exposure windows, even if it does not eliminate the risk of phishing. However, strong controls only work if teams actually use them, and right now, friction and bias still get in the way.</p><p>Jenn's advice was to treat malware prevention as a team sport across development, product security, cloud security, and incident response. Use lockfiles, avoid automatic upgrades, scrutinize lifecycle scripts, harden CI, scan for malware earlier, rotate and scope credentials, monitor for misuse, and build supply chain playbooks that account for how malware behaves differently from ordinary vulnerabilities, especially in the JavaScript and Python ecosystems.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img decoding="async" src="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-9a5b7271-e518-415c-a8fe-141df547adab.png" class="kg-image" alt="SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top" loading="lazy" width="1000" height="753" srcset="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/size/w600/2026/04/data-src-image-9a5b7271-e518-415c-a8fe-141df547adab.png 600w, https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-9a5b7271-e518-415c-a8fe-141df547adab.png 1000w" sizes="auto, (min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Jenn Gile</span></figcaption></figure><h2 id="scale-comes-from-systems-not-heroics"><strong>Scale Comes From Systems, Not Heroics</strong></h2><p>In the final talk of the day, from <a href="https://www.linkedin.com/in/mudita-khurana-87b72442/?ref=blog.gitguardian.com"><u>Mudita Khurana, an Airbnb staff security engineer</u></a>, called "Scaling AppSec through humans & agents," they presented a model for handling a world where code volume is rising fast, AI tools are now common, and meaningful portions of code are being produced outside the old IDE-centered workflow. She explained her company is seeing more code, more contributors, and far more code generated with AI than even a few years ago. Today nearly all pull request authors are using AI coding tools weekly, a meaningful amount of code is now written by non-engineers outside the IDE, and a large share of total code is AI-generated. Mudita explained you cannot keep up by adding manual review alone. Their response is a layered one: unified tooling to create consistency, LLM agents to extend coverage, and a human network to bring judgment and context where automation still falls short.</p><p>A single security CLI acts as the abstraction layer over capabilities like static analysis, software composition analysis, secrets detection, and infrastructure-as-code scanning, with the same experience, exemptions, and metrics no matter where it runs. That lets security checks show up across the developer workflow, from lightweight pre-commit feedback to fuller pull request scans and post-merge coverage. </p><p>On top of that, the team is using AI for security review in a more grounded way than generic prompting. Instead of asking a model for a broad security pass, they feed it security requirements as code, along with internal frameworks, auth models, and known anti-patterns. They also measure prompt changes against a dataset built from real historical vulnerabilities, which gives them a baseline for whether the agents are actually improving.</p><p>The part of their plan that Mudita was the most excited to share was their security champions program. They do not treat this program as volunteer side work. It is tied to the engineering career ladder, backed by real responsibilities, and supported with a two-way flow of data between security and the orgs doing the work. These champions help write custom rules, triage findings, support risk assessments, and drive adoption because they understand the business context in a way central security teams often cannot. They have created a feedback loop where human insight improves the tools, the tools improve the signal, and prevention gradually moves earlier, into the IDE, into AI prompts, and into the default way code gets written.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img decoding="async" src="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-6417a808-7d7c-4078-abe8-5bafd5d0ab0b.png" class="kg-image" alt="SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top" loading="lazy" width="1000" height="753" srcset="https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/size/w600/2026/04/data-src-image-6417a808-7d7c-4078-abe8-5bafd5d0ab0b.png 600w, https://storage.ghost.io/c/42/5d/425d266f-cf99-406e-9436-597a19bed011/content/images/2026/04/data-src-image-6417a808-7d7c-4078-abe8-5bafd5d0ab0b.png 1000w" sizes="auto, (min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Mudita Khurana</span></figcaption></figure><h2 id="security-that-lives-where-decisions-happen">Security that lives where decisions happen</h2><p>One pattern ran through almost every strong session: security works best when it shows up at the point of action. In an IDE. In a pull request. In a package policy. In a browser extension review. In a token issuance flow. In a prompt used by an AI assistant. Teams still lose time when secure guidance lives in a wiki, a yearly training deck, or a control that runs too late to influence the original choice.</p><p>That shift sounds simple, but it changes program design. It favors lightweight friction, contextual signals, paved paths, and small reminders over large annual campaigns. It also favors security teams that can collaborate with developer platforms, identity teams, and cloud teams instead of operating as a separate review function.</p><h3 id="the-new-perimeter-is-made-of-borrowed-trust"><strong>The new perimeter is made of borrowed trust</strong></h3><p>Modern software development depends on borrowed trust. Developers trust registries, packages, maintainers, AI suggestions, browser tools, and automation pipelines. Organizations trust tokens, runners, integrations, and service accounts to behave within expected bounds. Attackers know that every one of those relationships can be bent.</p><p>That has direct implications for secrets management and non-human identities. A stolen token, an over-scoped credential, or a poisoned dependency can move through trusted systems much faster than traditional controls were built to handle. The answer is tighter provenance, shorter credential lifetimes, stronger attestation, clearer ownership, and continuous review of the trust assumptions hiding inside delivery pipelines.</p><h3 id="maturity-now-means-feedback-loops"><strong>Maturity now means feedback loops</strong></h3><p>There was another persistent theme that we need to focus on creating feedback loops. Behavioral nudges need measurement to know how to improve them. Threat prioritization needs cost and impact models to claim success. AI review needs evaluation against real defects to be meaningful. Supply chain response needs intelligence, containment, and recovery steps that teams can actually execute.</p><p>Mature AppSec programs increasingly look like systems that learn. They collect signals, improve defaults, refine detections, tighten identity boundaries, and push lessons back into the places where code and infrastructure are created. The organizations that do this well will handle AI-generated code, secrets sprawl, and NHI governance with more control because they have already built the habit of turning incidents and friction into better operating models.</p><h2 id="mile-high-city-learnings"><strong>Mile High City Learnings</strong></h2><p>SnowFROC 2026, which happens at the highest altitupd of any OWASP event, felt grounded in the best way. Talks treated security as daily operating design that focused on how people are rewarded, how trust is granted, how credentials spread, and how teams scale judgment without burning out the humans in the loop. Your author was able to give a talk about how we moved from slow waterfall based deployment to a world of DevOps where we have never deployed more, faster. We have a golden opportunity as we adopt AI across our tool chains to rethink authentication in a meaningful way that might just reverberate through all our stacks of non-human identities. That is the feedback look we can all benefit from. </p><p>For teams thinking about identity risk, secrets exposure, and the governance of machine-driven development, SnowFROC offered a useful path forward. Start with defaults. Reduce silent trust. Treat credentials and dependencies as live operational risk. Then build feedback loops that make the next secure decision easier than the last one. That is a practical agenda, and after a snowy spring day in Denver, it also feels achievable.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/snowfroc-2026-secure-defaults-real-trust-and-a-better-layer-on-top/" data-a2a-title="SnowFROC 2026: Secure Defaults, Real Trust, and a Better Layer on Top"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fsnowfroc-2026-secure-defaults-real-trust-and-a-better-layer-on-top%2F&linkname=SnowFROC%202026%3A%20Secure%20Defaults%2C%20Real%20Trust%2C%20and%20a%20Better%20Layer%20on%20Top" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fsnowfroc-2026-secure-defaults-real-trust-and-a-better-layer-on-top%2F&linkname=SnowFROC%202026%3A%20Secure%20Defaults%2C%20Real%20Trust%2C%20and%20a%20Better%20Layer%20on%20Top" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fsnowfroc-2026-secure-defaults-real-trust-and-a-better-layer-on-top%2F&linkname=SnowFROC%202026%3A%20Secure%20Defaults%2C%20Real%20Trust%2C%20and%20a%20Better%20Layer%20on%20Top" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fsnowfroc-2026-secure-defaults-real-trust-and-a-better-layer-on-top%2F&linkname=SnowFROC%202026%3A%20Secure%20Defaults%2C%20Real%20Trust%2C%20and%20a%20Better%20Layer%20on%20Top" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fsnowfroc-2026-secure-defaults-real-trust-and-a-better-layer-on-top%2F&linkname=SnowFROC%202026%3A%20Secure%20Defaults%2C%20Real%20Trust%2C%20and%20a%20Better%20Layer%20on%20Top" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://blog.gitguardian.com/">GitGuardian Blog - Take Control of Your Secrets Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Dwayne McDaniel">Dwayne McDaniel</a>. Read the original post at: <a href="https://blog.gitguardian.com/snowfroc-2026/">https://blog.gitguardian.com/snowfroc-2026/</a> </p>
