Software Supply Chain Security
Securing software supply chains since 2017: sponsoring in-toto research, maintaining Witness and Archivista, and co-chairing CNCF TAG Security.
Our maturity framework takes organisations from CVE triage to fully automated policy-driven delivery.
Enterprise open source security is broken
Vulnerability volume outpaces remediation capacity. Traceability is fragmented. Ownership is unclear. The result: constant firefighting, compliance burden, and risk leaking to production.
CVE burnout
Vulnerability volume outpaces remediation capacity, driving constant firefighting and backlog growth.
Run-cost rising
Manual triage, gating, and reporting inflate operational overhead.
Traceability gaps
Hard to answer 'what runs where, what's affected, where did it come from?' reliably.
Delivery predictability falling
Last-minute CVE firefights delay releases. Automation nearly impossible.
Ownership confusion
Unclear accountability: findings and assets mapped to the wrong team.
Regulatory burden increasing
EU CRA, NIS2, and US Executive Orders demand evidence-based supply chain controls.
Tool and data fragmentation
Signals and evidence spread across multiple systems, requiring manual stitching.
Risk leaking to production
Without consistent decisioning, unresolved vulnerabilities reach production.
No single source of truth
No authoritative dataset for posture, provenance, or ownership: views conflict and drift.
Low team morale and confidence
Exhausted teams lose trust in the process. Skilled engineers spend time firefighting instead of building.
Supply Chain Maturity Framework
What's inside each level
An extensible, incremental framework to reduce CVE toil and improve software supply chain control, without a big-bang programme.
Start where you are, stop when ROI diminishes.
Reduce remediation pressure with better signal intake, standardised SBOMs, operationalised VEX, and consistent prioritisation.
Establish a single source of truth for provenance, posture, and ownership: fed by existing tools, consumed by downstream controls.
Create verifiable evidence that the right artefact was built, from the right source, through the right process, and promoted correctly.
Automate the path from ingestion to production using central policy-as-code, context-aware authorisation, and continuous enforcement.
Levels build on each other to reduce risk: you can achieve any level and still bank measurable outcomes
Open Source Ingestion & Third-Party Code Risk
The software you consume is your weakest link. From the Trivy supply chain attack to dependency confusion, ingestion is where risk enters.
We've secured high value supply chains for tier 1 banks, critical infrastructure, and technology leaders.
How a multinational bank implemented automated provenance verification of over three million external packages
We create, maintain, and govern the tools we use
10-year sponsors of the in-toto project. John Kjell and our team are core maintainers of Witness and Archivista: the attestation frameworks underpinning software supply chain verification at scale.
Co-chairs of CNCF TAG Security, OpenSSF core contributors, FINOS AI Security working group. Pro-bono CISO for OpenUK. Shaping the standards that define supply chain security.
Continuous secure ingestion at Citi. Supply chain assurance at JPMC. Platform security for Morgan Stanley. Regulated-industry deployment is our core expertise.
Assessment and implementation of SLSA build levels
Signing and verification deployment at enterprise scale
End-to-end SBOM generation and VEX operating models
Supply chain security insights from ControlPlane
A two-part journey through the lens of large banks, regulated industries, and security consultancies, exploring how organisations can manage open source and software supply chain risk effectively.
Francesco Beltramini
Principal Consultant
Addressing Common Vulnerabilities and Exposures (CVEs) is no longer optional. This article explores practical strategies for reducing CVE exposure across your software supply chain.
Andrew Martin
Founder and CEO
SBOMs are just the beginning. This talk explores how to make SBOMs actionable, from generation and enrichment to consumption and policy enforcement across your supply chain.
Andrew Martin
Founder and CEO
Start With an Assessment
Our Supply Chain Maturity Framework is an extensible, incremental approach to reducing CVE toil and improving software supply chain control, without a big-bang programme. It has four levels: from VEX-led prioritisation, through centralised traceability, to verifiable builds and ultimately policy-driven automation. You can stop at any level and still bank measurable outcomes.
No. The framework is designed to be incremental. Many organisations see significant value from Level 1 alone: better CVE prioritisation, fewer false positives, and clearer exception management. Each level builds on the previous but delivers standalone value.
Our framework is complementary to SLSA and OpenSSF guidelines. Level 3 aligns directly with SLSA build levels, and we use OpenSSF Scorecard as one of many inputs to our assessment. We contribute to both projects and bring deep implementation experience from regulated environments.
Level 1 quick wins can be delivered in 4-8 weeks. Level 2 typically takes 3-6 months depending on the existing toolchain. Levels 3 and 4 are longer-term engagements that depend on organisational maturity and ambition. We always start with an assessment to scope accurately.
Yes, all our packages are customisable to your needs.
This assessment requires 20 person days, but the engagement can be customised to spend more time on certain areas of interest.
Yes, we can tailor this engagement to provide actionable results that are compatible with guidelines such as the CIS Software Supply Chain Security Guide, SLSA, and OpenSSF Scorecard. Let us know about your specific requirements!
