SUPPLYSHIELD
Abstract
SupplyShield is a robust security framework designed to protect against complex software supply chain attacks. It helps organizations seamlessly integrate supply chain security into their Software Development Lifecycle (SDLC), addressing the challenges of managing hundreds of microservices and thousands of daily builds. SupplyShield focuses on generating a Software Bill of Materials (SBOM) and performing Software Composition Analysis (SCA) for microservices.
SupplyShield is built for scalability, enabling SBOM generation and SCA in CI/CD environments with thousands of daily builds. It ensures rapid detection of zero-day vulnerabilities, like the log4j exploit, reducing Mean Time To Detect (MTTD) to minutes and simplifying patch management for security engineers and developers. The framework also includes a dashboard that provides key metrics and actionable insights.
In the latest release, SupplyShield introduces several major updates: Secure Version Identification (identifying minimal top-level package upgrades to resolve vulnerabilities in deeply nested transitive dependencies), GitHub Integration for SCA Actionables (raising actionable items as GitHub issues), EPSS-Based Vulnerability Prioritization, and Build Comparison to analyze changes and identify newly introduced packages and vulnerabilities across builds.