Keeping Dependencies Up to Date: How Beta Systems Secures the Software Supply Chain

Most software products rely on hundreds of direct and transitive dependencies, quickly forming a complex supply chain graph with thousands of packages. Each can become an entry point for vulnerabilities, sometimes indirectly. 

Just as physical manufacturing requires every component to be tested and safe, software supply chain security depends on visibility and control across all dependencies. Without this, organizations face: 

• Zero-day and n-day exploits (patches reversed by attackers) 

• Compliance violations (e.g., NIS-2, DORA, Cyber Resilience Act) 

• Reputational damage and financial loss from breaches 

Beta Systems simplifies both dependency and vulnerability management by automating repetitive tasks while letting experts make critical decisions. This balanced approach has proven more reliable than extreme. Manual checks alone can’t keep pace with constant change, but relying solely on automation isn’t safe either. Supply chain attacks have shown how quickly a malicious update can slip through if no one is watching. 

Rather than following a fixed recipe, our framework continues to evolve. Its foundation rests on three pillars: 

• Automation to flag outdated dependencies and known vulnerabilities 

• Standardized CI/CD pipelines built from reusable GitLab Components 

• Expert review and a strong security culture ensuring final decisions stay human-driven 

• Reusable pipeline components help teams to follow consistent DevSecOps practices 

• Central maintenance by the Platform Services team cuts duplicate effort. 

• Standardized jobs for dependency updates and security scans 

• Unified tooling increases developer productivity 

• Detects version drift across npm, Maven, Gradle, Docker, and IaC 

• Automatically creates merge requests for upgrades 

• Supports patch, minor, and major version strategies 

• No auto-merge – each update is reviewed by a developer to reduce supply chain risks

• Scans for CVEs during development and build phases using multiple vulnerability databases 

• Detects misconfigurations in Infrastructure-as-Code (IaC) and hardcoded secrets in repositories 

• Relies on lock files for integrity and version pinning

• Software Bill of Materials (SBOMs) as input from cdxgen and DejaCode in CycloneDX format 

• Monitors systematically dependencies in released software through OWASP Dependency Track 

• Automatically creates tickets for identified CVEs 

• Uses Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosure Report (VDR) for standardized reporting of vulnerability management results 

• Provides documentation for compliance with the Cyber Resilience Act and transparency for NIS-2 and DORA

Technology alone cannot secure the software supply chain. The real strength comes from people and the processes: 

• A Secure Software Development Lifecycle (SDLC) framework that guides teams from start to finish 

• Developer training based on real-world incidents, not just theory 

• Daily cooperation between developers and AppSec experts, making security an integral part of development and not an afterthought 

• Clear and transparent vulnerability reporting with every release, ensuring risks remain visible and decisions are traceable 

Security culture at Beta Systems is not abstract. It actively shapes how dependency decisions are made, documented, and aligned with compliance expectations. 

The compromise of the npm packages chalk and debug, along with the Shai-Hulud worm outbreak in September and November 2025 highlighted a key lesson: blind automation is risky. In that case, attackers inserted malicious code into libraries that were downloaded billions of times. Had those updates been auto-merged, infected versions would have reached production almost immediately. 

At Beta Systems we’ve chosen a different path. Renovate still prepares the updates, but they only proceed after engineer review. This deliberate pause maintains the right balance between speed, automation, and risk control. 

By combining CI/CD automation, security tooling, and expert oversight, Beta Systems achieves: 

• Faster vulnerability fixes without compromising stability 

• A reduced attack surface through proactive dependency monitoring 

• Compliance with the Cyber Resilience Act, and support for customers under NIS-2 and DORA 

• Less time spent on CI maintenance thanks to shared GitLab Components 

• Greater transparency for customers through SBOM-based reporting 

Keeping software dependencies up to date is not optional. It is essential to secure the software supply chain. With thousands of new CVEs published monthly, organizations need an approach that is automated, scalable, and compliant but still keeps experts in control. 

At Beta Systems, we deliver exactly that: 

• Automated detection and scanning with Trivy and Renovate 

• Continuous monitoring using SBOMs and OWASP Dependency Track 

• Standardized pipelines with GitLab Components 

• A strong security culture across the SDLC 

The result: secure, compliant, and resilient software our customers can trust.