Amina Emenena
D.Sc. Cybersecurity Candidate, George Washington University | Founder, Build Flow Labs
San Diego, California, United States
Actions
Amina Emenena is a D.Sc. candidate in Cybersecurity at George Washington University's School of Engineering and Applied Sciences, where her research on build environment risk governance was awarded Best Paper of Track at the ASBBS 33rd Annual Conference. She is the founder of Build Flow Labs, creator of the Build Chain of Custody (BCoC) evidence standard, and author of the forthcoming book "Pipeline Trust: Automating Trust and Engineering Compliance in the Modern Software Supply Chain." She holds over 15 years of technical and engineering leadership experience including leading remediation for a major platform breach, unmanned aircraft software development, and an Intelligence Community engineering background.
Area of Expertise
Topics
Zero Trust for Build Pipelines: Closing the 55% Governance Gap
Your SBOM tells you what's inside the artifact. It tells you nothing about how it was built, who had access to the pipeline, or whether someone tampered with the process between commit and deploy.
In a 60-day research pilot across 30 repositories, 67% had configurations vulnerable to software supply chain compromise. Only 12% would have triggered an alert under SOC 2, SOX ITGC, or NIST 800-53. That leaves 55% of build pipeline risk completely invisible to existing governance.
Using the March 2026 Trivy supply chain attack as a case study, this talk demonstrates how mutable GitHub Actions tags enabled credential theft across thousands of pipelines, and how a single enforceable policy (SHA pinning) would have prevented it.
The session introduces a zero-trust framework for build pipeline governance built on four principles: Invisible Security (compliance as a side effect of shipping code), Forensic Attestation (a Build Chain of Custody record for every build), Blast Radius Control (instant forensic lookups across thousands of repos), and Compliance as Code (OPA/Rego policies mapped to 8 regulatory frameworks covering 100+ controls).
This is not a product pitch. This is original doctoral research, real production data, and a deployable framework for closing the governance gap that Trivy, SolarWinds, Codecov, 3CX, and Kaseya all exploited.
Attendees leave with: a taxonomy of pipeline risks outside current compliance frameworks, a working model for Build Chain of Custody as a forensic evidence standard, actionable OPA/Rego policy patterns, and compliance mappings across SOC 2, SOX, NIST, ISO, PCI-DSS, FedRAMP, CIS, and HIPAA.
Zero Trust for Build Pipelines: Closing the 55% Governance Gap
Your SBOM tells you what's inside the artifact. It tells you nothing about how it was built, who had access to the pipeline, or whether someone tampered with the process between commit and deploy.
In a 60-day research pilot across 30 repositories, 67% had configurations vulnerable to software supply chain compromise. Only 12% would have triggered an alert under SOC 2, SOX ITGC, or NIST 800-53. That leaves 55% of build pipeline risk completely invisible to existing governance.
Using the March 2026 Trivy supply chain attack as a case study, this talk demonstrates how mutable GitHub Actions tags enabled credential theft across thousands of pipelines, and how a single enforceable policy (SHA pinning) would have prevented it.
The session introduces a zero-trust framework for build pipeline governance built on four principles: Invisible Security (compliance as a side effect of shipping code), Forensic Attestation (a Build Chain of Custody record for every build), Blast Radius Control (instant forensic lookups across thousands of repos), and Compliance as Code (OPA/Rego policies mapped to 8 regulatory frameworks covering 100+ controls).
This is not a product pitch. This is original doctoral research, real production data, and a deployable framework for closing the governance gap that Trivy, SolarWinds, Codecov, 3CX, and Kaseya all exploited.
Attendees leave with: a taxonomy of pipeline risks outside current compliance frameworks, a working model for Build Chain of Custody as a forensic evidence standard, actionable OPA/Rego policy patterns, and compliance mappings across SOC 2, SOX, NIST, ISO, PCI-DSS, FedRAMP, CIS, and HIPAA.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top