Third-party dependencies play a significant role in the development process. They provide ready-made solutions while saving valuable time and resources, enabling developers to focus on the application's bespoke functionality.

While upgrading dependencies is often seen as a no-brainer and is usually recommended as a 'silver bullet' solution to mitigate against threats such as supply-chain attacks, what happens when 1000 vulnerabilities are identified on that initial SAST scan, sending panic across the dev and security teams? It is essential to recognise that blindly embracing every update may not always be the best course of action. In the same breath, neglecting to upgrade third-party dependencies will, without a doubt, introduce risks, as outdated dependencies will most likely contain known vulnerabilities.

This session explores processes development teams can follow to prioritise, triage, and remediate identified security issues.