Securing the Software Supply Chain with Open Source

Modern applications are no longer built in isolation - they are assembled from open source dependencies, automated build pipelines, and cloud-native infrastructure. This shift has introduced a new class of risks: software supply chain attacks, where attackers compromise dependencies, build systems, or deployment pipelines to impact applications at scale.

Recent incidents, including large-scale NPM ecosystem compromises, demonstrate how a single weak link can cascade into widespread impact.

In this session, we will explore how these attacks work in practice and why traditional security approaches often fail to detect them. We will then walk through a practical, open source–driven approach to securing the entire software delivery lifecycle.

The session will cover:

• Understanding software supply chain risks and real-world attack patterns

• Generating Software Bill of Materials (SBOM) using tools like Syft and standards such as SPDX and CycloneDX

• Identifying vulnerabilities in dependencies using tools like Grype and Trivy

• Managing and monitoring dependencies with platforms like Dependency-Track

• Strengthening build integrity using SLSA principles

• Securing infrastructure as code using tools such as Checkov and KICS

• Designing a secure, end-to-end CI/CD pipeline using open source tooling

By the end of this session, attendees will have a clear mental model and practical blueprint for building and deploying applications securely using open source tools.

Tools used: Syft, Grype, Trivy, Dependency-Track, Checkov, KICS. Everything we are gonna explore in this session is Open Source and we are going to create a process on top of that.

1. Why supply chain security matters

• Modern apps inherit risk from dependencies and pipelines

• Attacks target the build process, not just runtime

2. A simple mental model for securing systems

• Dependencies → Build → Deploy

• Each stage has distinct risks and controls

3. SBOM as a foundation

• You can’t secure what you don’t inventory

• SBOM enables visibility and traceability

4. Practical vulnerability detection

• How tools like Trivy/Grype fit into real workflows

• Continuous scanning vs one-time checks

5. Build integrity and trust (SLSA mindset)

• Why verifying how software is built matters

• Introduction to provenance and tamper resistance

6. Infrastructure security is part of the supply chain

• IaC misconfigurations = attack surface

• Tools like Checkov/KICS shift security left

7. End-to-end architecture thinking

• Security is not a tool, it’s a pipeline design problem

• How to combine tools into a cohesive workflow