Lessons Learned from One Year of Supply Chain Security with OWASP Dependency-Track

The majority of modern software development projects would not be economically viable without extensive use of open-source libraries. However, these libraries pose a risk in the form of unintended or malicious security vulnerabilities.

How can we protect ourselves against this?

Firstly, we need to know which third-party code we are integrating, and most importantly, whether it contains any security vulnerabilities that could affect our product's security.

Software composition analysis tools, such as the free OWASP Dependency-Track, promise to provide this information. So what should we bear in mind when adopting an SCA tool?

What technical and human pitfalls might we encounter on the way to achieving transparency in our supply chain?

Problems addressed:
How can a software project be examined for weaknesses that have resulted from the integration of third-party libraries?

How can an SCA tool such as OWASP Dependency-Track help to find a transparent, systematic approach to dealing with security vulnerabilities in external dependencies?

What have we learned in terms of technical challenges and human factors after introducing OWASP Dependency-Track in a variety of very different projects?

Talk language: English
Level: Newcomer
Target group: Security Officers, Developers, Product Managers

Company:
WPS - Workplace Solutions GmbH

Markus Geiger

Johannes Bumüller