As cyberattacks evolve from targeting applications to weaponizing the very pipelines that build them, software supply chain security has become the new front line of enterprise defense. The recent NPM and Shai Hulud incidents have shattered the illusion of safety within trusted repositories, exposing how easily attackers can exploit blind trust in open-source ecosystems.
In this exclusive conversation with CISO Forum, Vijendra Katiyar, Co-Founder and Chief Revenue Officer at CleanStart, discusses how the idea of “trust” in software must be redefined—moving from assumption to verification. Katiyar unpacks why provenance, attestation, and SBOM-led governance are no longer optional, but essential pillars of modern DevSecOps. He also outlines how CleanStart is helping enterprises shift from reactive vulnerability management to proactive prevention—achieving verifiable, end-to-end trust from build to deployment.
CISO Forum: The NPM and Shai Hulud attacks exposed deep flaws in software supply chains. What’s the single biggest lesson enterprises should take from these incidents?
Vijendra Katiyar: The NPM and Shai Hulud attacks served as a wake-up call for every organization that relies on open-source and third-party software components. They revealed a hard truth: blind trust in public ecosystems no longer works!
And trust must now be verifiable. Every organization needs to move towards provenance-driven trust, where each software artifact —whether a library, a dependency, or a container — can be verified and traced back to a secure and attested source. This requires embedding verification and attestation into every stage of the build and release process. Security today isn’t about where your software comes from; it’s about whether you can prove that every step in its creation has been validated and tamper-free.
CISO Forum: If even verified repositories can be weaponized, how should organizations rethink their trust model for open-source dependencies?
Vijendra Katiyar: The traditional trust model, where enterprises rely on the reputation of a repository or developer, is fundamentally outdated. Even verified repositories can be compromised, and the Shai Hulud attack is a stark reminder that trust can’t stop at the source. The new paradigm must be built on the principles of zero-trust, where nothing and no one is inherently trusted. In practical terms, this means that enterprises must treat every dependency as untrusted until it is proven otherwise. Security teams need to focus on reproducible builds, cryptographic signatures, and attested provenance, where every artifact is accompanied by verifiable proof of its origin, integrity, and security posture.
CISO Forum: CleanStart promises visibility ‘from build to deploy.’ How does that differ from traditional vulnerability management tools?
Vijendra Katiyar: Traditional vulnerability management tools are fundamentally reactive in nature. They detect and patch vulnerabilities after the software is built or deployed. By the time these tools identify an issue, it’s often already in production, potentially exposing the organization to risk. This approach works for surface-level hygiene but falls short against sophisticated supply chain attacks that originate deep within the build process. We designed our platform to prevent vulnerabilities from reaching production. We achieve this by using curated, minimal, distroless base images that eliminate unnecessary components and reduce the attack surface. Each image has verified provenance and comes with built-in SBOMs and continuous attestation. This creates an environment where every dependency, image, and artifact is verified, not assumed, from build to deployment. Our near-zero CVE approach ensures that most risks are removed at the source.
CISO Forum: SBOMs are becoming the backbone of supply chain governance. Are Indian enterprises prepared for such a level of transparency and discipline?
Vijendra Katiyar: India is moving towards SBOM-led governance, particularly under the guidance of regulatory bodies such as CERT-In, SEBI, and the RBI, which are beginning to mandate SBOM usage across critical sectors like finance and telecom. The awareness and intent are definitely there, and we’ve seen several large enterprises start requesting SBOMs from their vendors as part of due diligence.
However, the overall maturity curve is still shallow. Only about four percent of organizations in India are fully equipped to implement and operationalize SBOM frameworks effectively. Right now, many enterprises still view SBOMs as a compliance checkbox rather than a core security enabler. Actual readiness will emerge when SBOMs are not static documents but part of a living, automated process that is continuously generated, verified, and acted upon.
CISO Forum: How will DevSecOps evolve in a world where the attack surface is shifting from applications to the pipelines that build them?
Vijendra Katiyar: We’re witnessing a fundamental shift – attackers are no longer targeting just the end applications; they’re now exploiting the build pipelines themselves. As software delivery becomes faster and more automated, these CI/CD pipelines have become the new crown jewels of the enterprise. Protecting them is the next frontier of DevSecOps.
The future of DevSecOps lies in securing the pipeline as a first-class citizen of security architecture. Every stage from code commit to artifact release must be instrumented for integrity and verification. This includes embedding SBOM validation, artifact signing, and provenance attestation into the automated workflows that power modern development. Security should not be an afterthought; it must be part of the developer experience itself.
CISO Forum: What’s next for software supply chain security, and how is CleanStart positioning itself to lead that future?
Vijendra Katiyar: The future of software supply chain security is about achieving end-to-end lifecycle trust. It’s no longer enough to secure applications in isolation; organizations must ensure that the pipelines, dependencies, and artifacts that create them are equally secure and verifiable.
We’re transitioning from reactive scanning to proactive prevention, utilizing policy-driven automation that identifies and blocks risks before they reach production. With SBOMs, digital signatures, and cryptographic attestation, enterprises will soon be able to prove the authenticity and integrity of every component they deploy. We deliver build-to-deploy visibility, combining curated minimal images with embedded attestation to provide complete control and transparency. We’re helping enterprises evolve from detecting vulnerabilities to preventing them altogether, creating a trust-centric, future-ready software ecosystem.
