Keeping Dependencies Up to Date: How Beta Systems Secures the Software Supply Chain

A Growing Attack Surface

The risk landscape is evolving at high speed. In the first three months of 2025 alone, the MITRE Foundation registered more than 12,000 new Common Vulnerabilities and Exposures (CVEs), averaging around 130 new entries per day. Each could, in principle, affect third-party code within a product. High-profile incidents such as Log4Shell (CVE-2021-44228) and the compromise of npm packages by the Shai-Hulud worm show how quickly a single weakness can cascade through millions of systems.

Without a clear and structured approach to dependency management, organizations lose visibility and control. To understand why this challenge is so demanding, it helps to look at the structure of today’s software supply chains.

The Complexity of the Modern Software Supply Chain

Most software products rely on hundreds of direct and transitive dependencies, quickly forming a complex supply chain graph with thousands of packages. Each can become an entry point for vulnerabilities, sometimes indirectly.

Just as physical manufacturing requires every component to be tested and safe, software supply chain security depends on visibility and control across all dependencies. Without this, organizations face:

• Zero-day and n-day exploits (patches reversed by attackers)

• Compliance violations (e.g. against the NIS-2 Regulation, DORA, or the Cyber Resilience Act)

• Reputational damage and financial loss from breaches

Beta Systems’ Strategy: Automation and Expertise

Beta Systems simplifies both dependency and vulnerability management by automating repetitive tasks while letting experts make critical decisions. This balanced approach has proven more reliable than extreme. Manual checks alone can’t keep pace with constant change, but relying solely on automation isn’t safe either. Supply chain attacks have shown how quickly a malicious update can slip through if no one is watching.

Rather than following a fixed recipe, our framework continues to evolve. Its foundation rests on three pillars:

• Automation to flag outdated dependencies and known vulnerabilities

• Standardized CI/CD pipelines built from reusable GitLab Components

• Expert review and a strong security culture ensuring final decisions stay human-driven

Core Building Blocks of Secure Dependency Management

1. CI/CD Pipelines and Components with GitLab

• Reusable pipeline components help teams to follow consistent DevSecOps practices

• Central maintenance by the Platform Services team cuts duplicate effort

• Standardized jobs for dependency updates and security scans

• Unified tooling increases developer productivity

2. Automated Dependency with Renovate

• Detects version drift across npm, Maven, Gradle, Docker, and IaC

• Automatically creates merge requests for upgrades

• Supports patch, minor, and major version strategies

• No auto-merge – each update is reviewed by a developer to reduce supply chain risks

3. Vulnerability & Security Scans with Trivy

• Scans for CVEs during development and build phases using multiple vulnerability databases

• Detects misconfigurations in Infrastructure-as-Code (IaC) and hardcoded secrets in repositories

• Relies on lock files for integrity and version pinning

4. SBOMs & OWASP with Dependency Track

• Software Bill of Materials (SBOMs) as input from cdxgen and DejaCode in CycloneDX format

• Systematic monitoring of dependencies in released software through OWASP Dependency Track

• Automatically creates tickets for identified CVEs

• Uses Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosure Report (VDR) for standardized reporting of vulnerability management results

• Provides documentation for compliance with the Cyber Resilience Act and transparency for NIS-2 and DORA

Beyond Tools: Building a Security Culture

Technology alone cannot secure the software supply chain. The real strength comes from people and the processes:

• A Secure Software Development Lifecycle (SDLC) framework that guides teams from start to finish

• Developer training based on real-world incidents, not just theory

• Daily cooperation between developers and AppSec experts, making security an integral part of development and not an afterthought

• Clear and transparent vulnerability reporting with every release, ensuring risks remain visible and decisions are traceable

• Security culture at Beta Systems is not abstract. It actively shapes how dependency decisions are made, documented, and aligned with compliance expectations.

Case Study: Supply Chain Attack Prevention

The compromise of the npm packages chalk and debug, along with the Shai-Hulud worm outbreak in September and November 2025 highlighted a key lesson: blind automation is risky. In that case, attackers inserted malicious code into libraries that were downloaded billions of times. Had those updates been auto-merged, infected versions would have reached production almost immediately.

At Beta Systems we’ve chosen a different path. Renovate still prepares the updates, but they only proceed after engineer review. This deliberate pause maintains the right balance between speed, automation, and risk control.

Benefits of Beta Systems’ Approach

By combining CI/CD automation, security tooling, and expert oversight, Beta Systems achieves:

• Faster vulnerability fixes without compromising stability

• A reduced attack surface through proactive dependency monitoring

• Compliance with the Cyber Resilience Act, and support for customers under NIS-2 and DORA

• Less time spent on CI maintenance thanks to shared GitLab Components

• Greater transparency for customers through SBOM-based reporting