Abstract

Navigating the intricate landscape of software supply chain vulnerabilities in large organizations, this session unveils a robust framework addressing practical challenges faced by product security teams. We tackle the identification and patch management struggle inherent in software supply chain vulnerabilities.

Our defensive approach revolves around the creation of a comprehensive framework. We spotlight strategies for ownership resolution, prioritization, and streamlining vulnerability management, focusing on a defensive paradigm for mid-large scale organizations. The presentation talks about the struggle faced by defensive teams while trying to maintain the development pace and keeping the chains secure.

In this talk, join us in a journey of understanding and securing your organization’s supply chain security posture, including base images, SBOM, SCA prioritization etc. We implemented practical approaches to proactively detect alien and outdated base images, minimizing high-security risks. Gain insights into our unique strategies for programmatically addressing ownership challenges in SCA for various development teams.

Attendees will explore strategies for streamlining vulnerability management with engineering teams by delving into the importance of utilizing parent-to-child mapping for transitive dependencies at the SBOM level. Discover how this approach builds trust, reduces friction, and fosters the concept of collective security responsibility.

This session is particularly valuable for Nullcon attendees looking to build security automations for a mid level startup where a lot of things have already gone sideways yet you must ensure that everything is safe.