Talk: Software Supply Chain Risk Now Runs Client-Side

Software Supply Chain Risk Now Runs Client-Side: What OWASP’s Top 10 Shift Means for CISOs

When the 2025 update from OWASP elevated Software Supply Chain Failures to a top-three risk — with the strongest consensus in the project’s history — it signaled a structural shift in how applications are built, delivered, and exploited. Modern applications are no longer built. They are composed of open-source components, CI/CD pipelines, SaaS integrations, third-party scripts, marketing pixels, and increasingly AI-driven services. Many of these components execute not on your servers, but directly in your users’ browsers — where sensitive data is created and immediately exposed.

In this session, Gareth Bowker, Head of Security Research at Jscrambler, examines what OWASP’s shift means for CISOs and application security leaders. Drawing on newly released third-party script research, Gareth reveals not only the security risks of client-side dependencies, but also the data governance implications — including how third-party scripts gain real-time access to user inputs, behavioral signals, and sensitive session data. While organizations have invested heavily in SBOMs, dependency scanning, and build pipeline integrity, runtime client-side exposure remains largely unmonitored.

As PCI DSS introduced mandatory controls for payment pages, OWASP has now reinforced that supply chain risk extends across the entire application surface. Attendees will leave with a clear framework for extending supply chain security beyond the edge — to the browser layer where data is born — and for turning OWASP’s signal into operational action.

Watch now!