SUPPLYSHIELD
Abstract
SupplyShield is a robust security framework designed to protect against complex software supply chain attacks. It helps organizations seamlessly integrate supply chain security into their Software Development Lifecycle (SDLC), addressing the challenges of managing hundreds of microservices and thousands of daily builds. SupplyShield focuses on generating a Software Bill of Materials (SBOM) and performing Software Composition Analysis (SCA) for microservices. SupplyShield is built for scalability, enabling SBOM generation and SCA in CI/CD environments with thousands of daily builds. It ensures rapid detection of zero-day vulnerabilities, like the log4j exploit, reducing Mean Time To Detect (MTTD) to minutes and simplifying patch management for security engineers and developers. The framework also includes a dashboard that provides key metrics and actionable insights. In the latest release, SupplyShield introduces several major updates aimed at further enhancing its capabilities: Secure Version Identification: The framework now identifies a minimal set of top-level package upgrades that effectively resolve vulnerabilities in deeply nested transitive dependencies. GitHub Integration for SCA Actionables: All actionable items generated from SCA scans can now be raised directly as GitHub issues within repositories, streamlining collaboration and task management for teams. EPSS-Based Vulnerability Prioritization: Vulnerabilities are now prioritized using the Exploit Prediction Scoring System (EPSS), enabling teams to focus on the most critical threats. Build Comparison: SupplyShield now enables users to compare different builds, helping them analyze changes, identify newly introduced packages and vulnerabilities consistency across builds. With these new features, SupplyShield continues to scale effectively and offers comprehensive tools to help organizations strengthen their software supply chain security with ease and efficiency.