2026-05-08 –, Workshops and Stage - Gernsback (C1.05.02)
Most organizations run Software Composition Analysis, yet very few actually use the results effectively. Alerts pile up, developers ignore findings, and security teams drown in noise.
This talk tells the story of building an in-house SCA platform from scratch using open-source tooling, designed to scale across large organizations while focusing on what actually matters. We’ll explore how to normalize results, prioritize vulnerabilities based on real risk, and integrate SCA into CI/CD in a way developers don’t hate.
Backed by real production usage and a live demo, this session focuses on practical techniques, not theory, to turn SCA from a checkbox into something teams can act on. Attendees will leave with ideas, patterns, and open-source approaches they can apply immediately.
In this session, I will take the audience through the complete journey of designing, building, and deploying an open-source Software Composition Analysis (SCA) tool from scratch. I will start by highlighting the common challenges teams face when using commercial SCA tools, such as opaque scoring systems, overwhelming volumes of alerts, inconsistent results across different repositories and ecosystems, and the difficulty in prioritizing what matters most. I will explain the motivation behind building an in-house, open-source tool: to give security and development teams transparency, control, and flexibility, and to create a practical, actionable approach to managing dependencies at scale.
Next, I will dive into the technical architecture and design decisions that guided the tool’s development, showing how it discovers dependencies, including transitive ones, across multiple ecosystems. I will cover how the tool integrates public vulnerability sources, including CVE databases, advisories, and metadata, and how it normalizes results to provide consistent, actionable insights. I will explain the scoring system we developed to prioritize vulnerabilities based on severity, exploitability, and update cadence, enabling teams to focus on what actually matters.
The session will include a live demo showing a real repository being scanned, vulnerabilities being discovered, scored, and surfaced in dashboards. I will walk through how results are integrated into CI/CD pipelines to block risky builds, automate updates, and generate actionable reports for developers. Along the way, I will share lessons learned from real-world deployment, including challenges in adoption, maintaining open-source tools, and improving developer engagement.
By the end of the session, attendees will understand the full lifecycle of building and using an open-source SCA tool, including practical integration strategies, risk prioritization techniques, and how to deploy it effectively in their own environments. I will provide links to the open-source code and supporting materials, so participants can explore and experiment immediately.
I am an Application Security Engineer with extensive experience building and operating security tooling at scale. I started my career at Checkmarx, where I worked on security products, and later joined Flutter Entertainment, where I implemented and evolved large-scale AppSec programs. I currently work at OLX, focusing on automation, scalable security tooling, and cloud security. I actively contribute to open-source security projects and regularly speak at security conferences including Black Hat MEA, BSides, and BalCCon, with a focus on practical SAST, SECRETS management and SCA implementations.