Shepherding Software Dependencies
04-06, 16:00–16:45 (Europe/Vienna), HS i7
Language: English

The number of external dependencies in today's software has grown steadily over the years. With all these dependencies come bugs and security issues. Like a flock of sheep, it can be difficult to keep track of them all, take care of their needs, and leave no one behind.

In this talk, we'll present solutions for software composition analysis and dependency management using free and open source tools. Afterwards, we hope you will be convinced that this is something everyone should consider in their software projects, because it is relatively easy to get started, and it will make your life easier in the long run.


The number of external dependencies in today's software has grown steadily over the years. With all these dependencies come bugs and security issues. Like a flock of sheep, it can be difficult to keep track of them all, take care of their needs, and leave no one behind.

In this talk, we'll present solutions for software composition analysis and dependency management using free and open source tools. Afterwards, we hope you will be convinced that this is something everyone should consider in their software projects, because it is relatively easy to get started, and it will make your life easier in the long run.

We will demonstrate how to create a Software Bill Of Material (SBOM) at build time using the OWASP CycloneDX tools. To further analyze the SBOM, we will demonstrate the use of OWASP Dependency Track. We will also demonstrate the use of Renovate to help maintainers keep up with dependency updates. To run all these tools in a CI/CD environment, we use GitLab.

See also: Slides - Shepherding_Software_Dependencies_v1-0-0.pdf (6.1 MB)

I am a software engineer by profession, passionate about open source software and application security. I try to follow the DevSecOps approach of enabling software development teams to integrate security tools into their daily work through automation and CI/CD.