Language: English
10-11, 13:30–13:50 (America/New_York), Track 1 (206b)
With vulnerable and outdated components being an OWASP Top 10 issue in 2025, it is no surprise that managing third-party dependencies has become a priority for Application Security teams. Join me on our journey to secure an org with 3000+ developers contributing to 3800+ repositories (with some monrepos receiving on average over 95 daily commits) and 650+ services through Software Composition Analysis (SCA). We will attempt to understand the 3 main components of SCA: scanning, triaging and remediation. We will go through some design and policy decisions that we've made and learn from our wins and losses to determine how to successfully implement an optimal solution.
10 years ago I got my start in Security by doing N-Day research. Our team was responsible for creating exploits for previously disclosed vulnerabilities using only publicly available information. The rationale was that these vulnerabilities posed a greater risk to certain organizations because of their accessibility to lower skilled attackers. Since then, my security career has allowed me to wear many hats. Almost comically, now I find myself on the other side of the equation, protecting a large organization from the same types of issues I used to report on at the start of my career. I hope that my unique experience will be able to give you a holistic view of defending your organization from vulnerable and outdated third party dependencies
-
What is SCA?
An automated process for identifying software dependencies that could have critical vulnerabilities or licensing issues -
Overview of Scanning, Triaging and Remediation.
Deploying the scanner is the obvious first and most technically demanding step. For this reason, triaging and remediation of findings is often overlooked. Most organizations end up with a large number of findings and false positives, overwhelming security and engineering teams. For this reason, it is important to put some forethought into triaging and remediation. -
How Vulnerable and Outdated Components enter your software chain?
For us to tackle any problem we need to understand the root cause. How do you end up with vulnerable third party dependencies? There are two main ways that this happens:- Developers introduce older version of a dependency = close the floodgates
- Developers forget to update existing dependencies = tackle the backlog and enforce good dependency hygiene
-
Scanning Approaches
There are three main ways to implement scanning- A periodic scan (cron job)
- A service that integrates with your SCM to perform asynchronous scans
- Scans built into CI/CD
We will cover the pros and cons of each approach, technical details about how we went about implementation and what's worked for us.
-
Delving deeper into the design
Often companies rely on a black box approach to scanning. This could result in issues such as:- Bugs in vendors tools breaking the CI/CD pipelines
- Vendor takes time to support the newest version of lock files or package manager, slowing engineering down
- Engineering moves to a new build system which the vendor does not support
To address the above issue we’ll look into using SBOMs for standardizing and decoupling scanning from the build process. We’ll also explore some other advantages of using SBOMs. We will also explore scaling challenges and how to address them. (e.g by using Argo Workflows)
-
Triaging
Now that we have scanning in place, we will soon be overwhelmed with findings. The following has helped us with triaging:- Setting benchmarks. For example in a microservices environment you might want to prioritize edge services, deprioritize certain vulnerability classes (e.g DoS) and exclude test dependencies
- Reachability Analysis
- Old school PoC or GTFO. Good security engineers can help increase developer productivity while not compromising security.
- Uploading results to a vulnerability management platform (e.g defect dojo)
-Remediation
In most organizations, developers will be responsible for remediation. Vulnerability SLAs are just a start. Consider uploading findings to a developer console such as backstage and try to gamify remediation.
-High level overview architecture diagram
During his 10 year long security career Siva has the opportunity to wear many hats, from being a Security Researcher @ ZDI (Zero Day Initiative), the world’s largest vendor agnostic bug bounty program, to a Security Engineer @ Okta. Currently he is a Security Engineer @ DoorDash when he leads projects to enable developer velocity without compromising security,