TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS CASE STUDIES News, news analysis, and commentary on the latest trends in cybersecurity technology. Automaker Secures the Supply Chain With Developer-Friendly Platform How a platform engineering team embeds supply chain security into infrastructure without slowing developers. Joan Goodchild, Contributing Writer, Dark Reading February 10, 2026 4 Min Read SOURCE: OPEN STUDI0 VIA SHUTTERSTOCK For teams responsible for delivering software into connected vehicles, software supply chain security carries significant consequences. A vulnerable update can pose real-world risks to both systems and drivers. With those stakes in mind, one large automotive manufacturer has reshaped its approach to platform engineering and security. Rather than pushing responsibility onto individual development teams, the organization treats supply chain security as an infrastructure problem that must be solved at the platform level. The organization built an internal developer platform to remove security decision-making from individual developers and embed it directly into the platform. "We cannot deploy software in the vehicle that may have some vulnerabilities," says Gaurav Saxena, director of engineering at a major automaker. "It can pose a risk to both the vehicle and the driver.” Supply chain security is often framed as a compliance or policy issue. But at the developer level, Saxena says, risk appears much earlier in day-to-day workflows. Much of the software that reaches production depends on previously-built components, which are typically reused across teams. As the software ages, new vulnerabilities emerge. Saxena says his company's developer platform addresses this problem. LOADING... Related:AI Agents Undermine Progress in Browser Security "We provide shared dev tools and services so that developers can focus on the business needs and not worry about the security," Saxena says. "We as platform engineers provide that out of the box." Securing the Build Pipeline by Design LOADING... Saxena leads the organization responsible for internal developer platforms, data infrastructure, and reliability engineering. His team supports more than 50 engineers and provides shared services that power cloud-to-device and device-to-cloud workflows. The platform team begins by controlling how container images are built. Rather than relying on large, general-purpose images, they use minimal, purpose-built images that include only the dependencies required to run a specific application. According to Saxena, reducing image size also reduces risk. Fewer dependencies mean fewer potential attack vectors and less exposure if a vulnerability is discovered later. Each image is built from known components and accompanied by a software bill of materials that includes recursive dependency tracking. Images are cryptographically signed so the organization can verify their origin and ensure they have not been altered. These signed images and their SBOMs are then published to the JFrog Artifactory repository, which enforces access controls, enables vulnerability scanning, and provides build-info traceability, linking artifacts back to source commits. Related:Hardened Containers Look to Eliminate Common Source of Vulnerabilities "You know exactly where the image came from," Saxena says, noting that signatures and attestations allow teams to trace artifacts back to specific commits. Security checks don't stop once an image is built. Images are continuously scanned for vulnerabilities and license compliance before they are admitted into production environments. Enforcing Security at Runtime One of the key lessons Saxena emphasizes is that supply chain security cannot be treated as a one-time event. Vulnerabilities are often discovered long after software is built. Images stored in registries for months are reevaluated before deployment using policy-based controls in Kubernetes. If a newly disclosed vulnerability is detected, the image is rejected at runtime and won’t be used until the issue is addressed. "This is how we make sure that both at build time and runtime, you are running a hardened base image," Saxena says. By enforcing these controls at the platform level, developers don't need to maintain their own vulnerability databases, he says. The system blocks unsafe deployments automatically. Related:How Cloud Service Disruptions Are Making Resilience Critical for Developers However, even with mature controls, security and developer velocity can still collide. Saxena says that last-minute vulnerability findings can slow releases, particularly when teams need to determine whether a reported issue actually applies to a specific workload. "Not all CVEs are applicable to that particular workflow," he says. Determining relevance often requires discussion between platform engineers, security teams, and application developers. While this can delay deployments, Saxena says the organization does not compromise on security and issues are resolved before code is deployed. "Security is always the first-class citizen," he says. Measuring Impact Beyond Compliance One of the most tangible outcomes of the platform approach is a reduction in wasted engineering effort. Before the platform was in place, developers were asked to remediate vulnerabilities without sufficient context, and teams spent too much time investigating issues that weren't always relevant – or even exploitable. By centralizing vulnerability analysis and remediation, the organization has reduced duplicate work across teams. Saxena says the payoff is clear in the amount of engineering time the teams got back. Developer experience metrics and operational stability are also tracked using frameworks such as DORA metrics. Platform adoption itself reveals the success they are experiencing. "If everything is working fine, you do not see the platform team," Saxena says. "But if there is a security problem, then it becomes visible." AI as an Assistive Tool As AI tools become more common in engineering workflows, Saxena sees them as helpful companions rather than autonomous decision-makers. His team uses AI to assist with investigation tasks, such as pulling dependency data and speeding up vulnerability analysis. But human oversight is still critical. "You still need a human in the loop," Saxena says. "You cannot just use the AI to say: 'Okay, patch this.'" Saxena says the work reinforces the importance of abstraction and shared responsibility. It doesn't depend on developers becoming security experts, but does give them clarity behind what they are doing – and why. "We do not want them to just checklist the boxes for compliance," he says. "We want them to understand why they are doing those guardrails." About the Author Joan Goodchild Contributing Writer, Dark Reading Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns Attack Surface Management: Discovering and Securing Unknown More Webinars You May Also Like APPLICATION SECURITY Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers by Nate Nelson, Contributing Writer JAN 20, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 APPLICATION SECURITY Microsoft Rolls Out Fresh Fix After Faulty Windows Update by Kristina Beek, Associate Editor, Dark Reading FEB 27, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Latest Articles in DR Technology CYBER RISK TransUnion's Real Networks Deal Focuses on Robocall Blocking FEB 9, 2026 THREAT INTELLIGENCE Data Tool to Triage Exploited Vulnerabilities Can Make KEV More Useful FEB 5, 2026 CYBERSECURITY OPERATIONS AI May Supplant Pen Testers, But Oversight & Trust Are Not There Yet FEB 3, 2026 REMOTE WORKFORCE Torq Moves SOCs Beyond SOAR With AI-Powered Hyper Automation JAN 30, 2026 Read More DR Technology Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use