Presentation Material
Abstract
Navigating the intricate landscape of software supply chain vulnerabilities in large organizations, this session unveils a robust framework addressing practical challenges faced by product security teams. We tackle the identification and patch management struggle inherent in software supply chain vulnerabilities.
Our defensive approach revolves around the creation of a comprehensive framework. We spotlight strategies for ownership resolution, prioritization, and streamlining vulnerability management, focusing on a defensive paradigm for mid-large scale organizations. The presentation talks about the struggle faced by defensive teams while trying to maintain the development pace and keeping the chains secure.
In this talk, join us in a journey of understanding and securing your organization’s supply chain security posture, including base images, SBOM, SCA prioritization etc. We implemented practical approaches to proactively detect alien and outdated base images, minimizing high-security risks. Gain insights into our unique strategies for programmatically addressing ownership challenges in SCA for various development teams.
Attendees will explore strategies for streamlining vulnerability management with engineering teams by delving into the importance of utilizing parent-to-child mapping for transitive dependencies at the SBOM level. Discover how this approach builds trust, reduces friction, and fosters the concept of collective security responsibility.
This session is particularly valuable for Nullcon attendees looking to build security automations for a mid level startup where a lot of things have already gone sideways yet you must ensure that everything is safe.
AI Generated Summary
The talk addresses the challenge of managing software supply chain vulnerabilities in large organizations, where traditional standalone scanning tools prove unscalable and lack visibility into ownership and transitive dependencies. The core problem is efficiently identifying, prioritizing, and assigning responsibility for security issues across complex microservice environments.
The presented solution, the open-source Supply Shield framework, uses a Docker image-based scanning approach to capture exact runtime dependencies and generate Software Bill of Materials (SBOMs). A key technique involves analyzing Docker layer hashes to segregate vulnerabilities: those originating from base images are assigned to platform/devops teams, while application-layer issues fall to developers. To resolve developer pushback over unexplained transitive vulnerabilities, the system enhances SBOM generation (using CDX gen) to include explicit dependency relationships, providing clear paths for how vulnerable packages are introduced. An algorithm further isolates vulnerabilities from shared internal “common packages,” correctly assigning ownership to the maintaining platform team.
Prioritization shifts from CVSS scores to service exposure, flagging vulnerabilities in public-facing services first. The system provides developers with actionable, specific upgrade paths and suggests secure versions or open-source alternatives where possible. Practical takeaways emphasize that effective supply chain security requires building comprehensive visibility (via detailed SBOMs), aligning stakeholder responsibilities, and designing tools that assist rather than hinder engineering workflows. The open-source model is presented as essential for solving pervasive industry problems collaboratively.