About the Speaker

Navigating the intricate landscape of software supply chain vulnerabilities in large organizations, this session unveils a robust framework addressing practical challenges faced by product security teams. We tackle the identification and patch management struggle inherent in software supply chain vulnerabilities.

Our defensive approach revolves around the creation of a comprehensive framework. We spotlight strategies for ownership resolution, prioritization, and streamlining vulnerability management, focusing on a defensive paradigm for mid-large scale organizations. The presentation talks about the struggle faced by defensive teams while trying to maintain the development pace and keeping the chains secure.

In this talk, join us in a journey of understanding and securing your organization's supply chain security posture, including base images, SBOM, SCA prioritization etc. We implemented practical approaches to proactively detect alien and outdated base images, minimizing high-security risks. Gain insights into our unique strategies for programmatically addressing ownership challenges in SCA for various development teams.

Attendees will explore strategies for streamlining vulnerability management with engineering teams by delving into the importance of utilizing parent-to-child mapping for transitive dependencies at the SBOM level. Discover how this approach builds trust, reduces friction, and fosters the concept of collective security responsibility.

This session is particularly valuable for Nullcon attendees looking to build security automations for a mid level startup where a lot of things have already gone sideways yet you must ensure that everything is safe.
 

Yadhu's Bio

Yadhu is a passionate Security Engineer, currently working at CRED, with over 3 years of experience in Security. He specialises in identifying security vulnerabilities, building and scaling security solutions.

Yadhu has reported high severity security issues in critical projects like Node.js, Gunicorn, Safari and received CVEs for the same.

He was also a part of bi0s (India's Top 1 CTF team) as a mentor, CTF player, and challenge creator, where he developed expertise in cybersecurity competitions and web security research.

Akhil's Bio

Akhil Mahendra is a seasoned security engineer with over a decade of experience in application security. As the Engineering Leader for Security at CRED, he is responsible for building and scaling security systems within the organization. He has been a key member of India’s top-ranked Capture the Flag team, team bi0s. His expertise spans building security frameworks and tools, and he has shared his work at prominent security conferences such as BlackHat Asia and BlackHat USA.

Hritik's Bio

Hritik Vijay is a security engineer and open source developer. He is currently working in Product Security at CRED. His primary focus for the past few years have been supply chain security and DevSecOps from application security standpoint. He loves open source and is currently a maintainer and developer at VulnerableCode. He likes to explore the boundaries of software security and development in the linux kernel in his free time.