Rootconf 2025 Annual Conference CfP

Strenghtening Security in the Supply Chain

Security practices in software development are often inconsistent and fragmented across teams. Many developers lack formal security training, and secure coding is deprioritized in favor of delivering features quickly. This creates systemic vulnerabilities that can propagate across the supply chain, especially in open-source environments where external dependencies introduce risk. The absence of clear ownership and metrics for secure development further weakens security posture, leaving gaps in monitoring and incident response.

The evolving regulatory landscape is pushing organizations to adopt more disciplined approaches. Frameworks such as the NIST Secure Software Development Framework (SSDF), the EU Cyber Resilience Act, and CERT-In’s SBOM mandates emphasize proactive risk management, secure build processes, and supply chain visibility. Yet, implementation remains a hurdle for many teams, due in part to the fragmented tooling ecosystem and lack of operational integration between developers, DevOps, and security stakeholders.

This sesson will help devlopers and organisations can combine multiple strategies. This sesson will also talk about adopting DevSecOps practices like embedding security into CI/CD pipelines helps detect vulnerabilities early. Additionally building and maintaining SBOMs using formats like SPDX or CycloneDX enables visibility into dependencies and their risks. Secure software training programs and coding standards (e.g., OWASP ASVS) build developer capability. Frameworks such as OpenSSF Scorecards and OpenChain ISO/IEC DIS 18974 can further structure and benchmark security maturity. This sesson will help devlopers and organisations create layered approach , i.e tooling, standards, governance, and education , ensures that security becomes a continuous and shared responsibility throughout the supply chain.

Ajshal is a technology lawyer working at technology focused law firm, LegaliTech.