Sivathmican Sivakumaran
During his 10 year long security career Siva has the opportunity to wear many hats, from being a Security Researcher @ ZDI (Zero Day Initiative), the world’s largest vendor agnostic bug bounty program, to a Security Engineer @ Okta. Currently he is a Security Engineer @ DoorDash when he leads projects to enable developer velocity without compromising security,
him/he/his
Which country are you from? –Canada
Your twitter or other social network –https://www.linkedin.com/in/sivathmican-sivakumaran-36127647/
Session
With vulnerable and outdated components being an OWASP Top 10 issue in 2025, it is no surprise that managing third-party dependencies has become a priority for Application Security teams. Join me on our journey to secure an org with 3000+ developers contributing to 3800+ repositories (with some monrepos receiving on average over 95 daily commits) and 650+ services through Software Composition Analysis (SCA). We will attempt to understand the 3 main components of SCA: scanning, triaging and remediation. We will go through some design and policy decisions that we've made and learn from our wins and losses to determine how to successfully implement an optimal solution.
10 years ago I got my start in Security by doing N-Day research. Our team was responsible for creating exploits for previously disclosed vulnerabilities using only publicly available information. The rationale was that these vulnerabilities posed a greater risk to certain organizations because of their accessibility to lower skilled attackers. Since then, my security career has allowed me to wear many hats. Almost comically, now I find myself on the other side of the equation, protecting a large organization from the same types of issues I used to report on at the start of my career. I hope that my unique experience will be able to give you a holistic view of defending your organization from vulnerable and outdated third party dependencies