Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Just another talk about SBOM (and VEX)

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Dimitrij Klesev Dimitrij Klesev
November 26, 2024
Technology
89
0

Just another talk about SBOM (and VEX)

@SBA Security Meetup 26.11.2024
https://www.meetup.com/de-DE/security-meetup-by-sba-research/events/304127699/

Avatar for Dimitrij Klesev

Dimitrij Klesev

November 26, 2024

More Decks by Dimitrij Klesev

See All by Dimitrij Klesev
Tetragon
Avatar for Dimitrij Klesev dklesev
0
45
Secure Credential Management
Avatar for Dimitrij Klesev dklesev
0
120
eBPF pls fix my bugs!
Avatar for Dimitrij Klesev dklesev
0
130
Modern Development Approach Cloud Native Way
Avatar for Dimitrij Klesev dklesev
0
150
CVE-2020-8554
Avatar for Dimitrij Klesev dklesev
0
48
User Access Management for large Enterprises in Kubernetes
Avatar for Dimitrij Klesev dklesev
0
85
ExternalDNS on K8s with Exoscale
Avatar for Dimitrij Klesev dklesev
1
220

Other Decks in Technology

See All in Technology
AIの性能が向上しても未解決な組織の重大問題は何か?/An Unsolved Organizational Problem in the Age of AI
Avatar for moriyuya moriyuya
4
670
AIっぽい文章を採点して人間らしく直すアプリを作ってみた
Avatar for Yuuki Yamashita yama3133
2
180
2026TECHFRESH畢業分享會 - 原生還是跨平台? App 開發踩坑實錄
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1k
気づかぬうちにセキュリティ負債を生むAPIキー運用
Avatar for Michitaka Sugawara sgwrmctk
0
120
攻撃者視点で考えるDetection Engineering
Avatar for Ruslan Sayfiev cryptopeg
3
1.8k
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
Avatar for サイバーセキュリティクラウド cscengineer
PRO
2
130
マルチアカウント環境での コーディングエージェントを使った障害調査が大変なので AIエージェントにReadOnly権限を付与してみた / ReadOnly AI Agents for Multi-Account AWS Incident Response
Avatar for Takashi Yamaguchi yamaguchitk333
2
100
フロンティアAIのゲート化と地政学リスク
Avatar for 長津孝輔 nagatsu
0
140
【Cyber-sec+】経営層を"動かす"ための考え方
Avatar for Hisashi Hibino hssh2_bin
0
180
失敗を経て、Harness Engineering で 大切にしたいことを考える / Learning from Failure: What Matters in Harness Engineering
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
1
370
人材育成分科会.pdf
Avatar for _awache _awache
4
250
エンジニアリング戦略の作り方 / Crafting Engineering Strategy
Avatar for iwashi iwashi86
21
6.9k

Featured

See All Featured
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
310
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6.2k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
270
14k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.3k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
160
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
240
Scaling GitHub
Avatar for Zach Holman holman
464
140k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
3.5k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.6k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
840

Transcript

  1. Just another talk about SBOM (and VEX)

  2. What is BOM? 2 Source: https://www.mecalux.com/blog/bill-of-materials-bom

  3. What is BOM? 3 Source: https://www.mecalux.com/blog/bill-of-materials-bom

  4. What is BOM? 4 Source: https://www.mecalux.com/blog/bill-of-materials-bom

  5. What is BOM? - A bill of materials (BOM) is

    a source of information containing a list of items and instructions to design or manufacture a product. - A bill of materials lists the finished product at the top, followed by individual components and materials. 5 Source: https://www.investopedia.com/terms/b/bill-of-materials.asp

  6. What is SBOM? 6 Source: https://tmap.net/node/704

  7. What is SBOM? 7 Source: https://tmap.net/node/704

  8. What is SBOM? - A Software Bill of Materials (SBOM)

    is a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. 8 Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_faq_-_april_15_draft.pdf

  9. Why SBOM? - Provides insight into used components and dependencies

    - Life-cycle management - Effective security management - U.S. EXECUTIVE ORDER 14028 - Formats - SPDX - CycloneDX 9 Sources: https://tmap.net/node/704 https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity

  10. Formats - SPDX - CycloneDX - Software Identification Tags -

    PURL - CPE - SWID (replaces deprecated CPE) 10 Sources: https://scribesecurity.com/de/sbom/standard-formats/#spdx-sbom-standard-format https://www.wiz.io/academy/standard-sbom-formats

  11. Formats (SPDX) 11

  12. Formats (SPDX) 12

  13. Formats (SPDX) 13

  14. Formats (CycloneDX) 14

  15. Formats (CycloneDX) 15

  16. Formats (CycloneDX) 16

  17. Tooling 17

  18. VEX - Vulnerability Exploitability eXchange - “companion artifact to SBOM”

    (NTIA) - specifies the “status” of the present vulnerability - formats - OpenVEX - CycloneDX 18 Sources: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_framing_sharing_july9.pdf https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms

  19. Formats (SARIF) 19

  20. Formats (OpenVEX) 20

  21. Formats (CycloneDX) 21

  22. DEMO

  23. Thank You!

  24. Next step Source: https://slsa.dev/

  25. Q/A - Discussion