Securing Diverse Supply Chains Across Interconnected Systems - Wayne Starr, Defense Unicorns & Aaron Creel, SpaceX

less than 1 minute read


Working within large software systems can make it difficult to determine the full scope of software, libraries and tooling contained within a diverse set of components, often maintained across separate teams and departments. Security teams must become familiar with a wide range of packaging technologies and practices, and often manually aggregate information to make determinations on where vulnerabilities may be present and how to mitigate them. In this talk, we will share how SpaceX is solving this through a layered application of Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines. This integration has allowed them to reduce the cycle time for developers to respond to potential vulnerabilities, and allowed them to more efficiently prioritize how developers work across projects.

Sched URL