Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Just another talk about SBOM (and VEX)

Just another talk about SBOM (and VEX)

Dimitrij Klesev

November 26, 2024
Tweet

More Decks by Dimitrij Klesev

Other Decks in Technology

Transcript

  1. What is BOM? - A bill of materials (BOM) is

    a source of information containing a list of items and instructions to design or manufacture a product. - A bill of materials lists the finished product at the top, followed by individual components and materials. 5 Source: https://www.investopedia.com/terms/b/bill-of-materials.asp
  2. What is SBOM? - A Software Bill of Materials (SBOM)

    is a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. 8 Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_faq_-_april_15_draft.pdf
  3. Why SBOM? - Provides insight into used components and dependencies

    - Life-cycle management - Effective security management - U.S. EXECUTIVE ORDER 14028 - Formats - SPDX - CycloneDX 9 Sources: https://tmap.net/node/704 https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
  4. Formats - SPDX - CycloneDX - Software Identification Tags -

    PURL - CPE - SWID (replaces deprecated CPE) 10 Sources: https://scribesecurity.com/de/sbom/standard-formats/#spdx-sbom-standard-format https://www.wiz.io/academy/standard-sbom-formats
  5. VEX - Vulnerability Exploitability eXchange - “companion artifact to SBOM”

    (NTIA) - specifies the “status” of the present vulnerability - formats - OpenVEX - CycloneDX 18 Sources: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_framing_sharing_july9.pdf https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms