Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Just another talk about SBOM (and VEX)

Dimitrij Klesev
November 26, 2024
Technology
0
29

Just another talk about SBOM (and VEX)

@SBA Security Meetup 26.11.2024
https://www.meetup.com/de-DE/security-meetup-by-sba-research/events/304127699/

Dimitrij Klesev

November 26, 2024
Tweet

More Decks by Dimitrij Klesev

See All by Dimitrij Klesev
Secure Credential Management
dklesev
0
54
eBPF pls fix my bugs!
dklesev
0
53
Modern Development Approach Cloud Native Way
dklesev
0
120
CVE-2020-8554
dklesev
0
30
User Access Management for large Enterprises in Kubernetes
dklesev
0
63
ExternalDNS on K8s with Exoscale
dklesev
1
190

Other Decks in Technology

See All in Technology
日本版とグローバル版のモバイルアプリ統合の開発の裏側と今後の展望
miichan
1
120
成果を出しながら成長する、アウトプット駆動のキャッチアップ術 / Output-driven catch-up techniques to grow while producing results
aiandrox
0
180
kargoの魅力について伝える
magisystem0408
0
200
ハイテク休憩
sat
PRO
2
120
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
240
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
250
LINEスキマニにおけるフロントエンド開発
lycorptech_jp
PRO
0
330
大幅アップデートされたRagas v0.2をキャッチアップ
os1ma
2
520
サーバレスアプリ開発者向けアップデートをキャッチアップしてきた #AWSreInvent #regrowth_fuk
drumnistnakano
0
190
社外コミュニティで学び社内に活かす共に学ぶプロジェクトの実践/backlogworld2024
nishiuma
0
250
podman_update_2024-12
orimanabu
1
260
DevOps視点でAWS re:invent2024の新サービス・アプデを振り返ってみた
oshanqq
0
180

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Language of Interfaces
destraynor
154
24k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
Building Adaptive Systems
keathley
38
2.3k
Site-Speed That Sticks
csswizardry
2
190
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
Rails Girls Zürich Keynote
gr2m
94
13k
Side Projects
sachag
452
42k
A designer walks into a library…
pauljervisheath
204
24k
Fireside Chat
paigeccino
34
3.1k
RailsConf 2023
tenderlove
29
940

Transcript

  1. Just another talk about SBOM (and VEX)

  2. What is BOM? 2 Source: https://www.mecalux.com/blog/bill-of-materials-bom

  3. What is BOM? 3 Source: https://www.mecalux.com/blog/bill-of-materials-bom

  4. What is BOM? 4 Source: https://www.mecalux.com/blog/bill-of-materials-bom

  5. What is BOM? - A bill of materials (BOM) is

    a source of information containing a list of items and instructions to design or manufacture a product. - A bill of materials lists the finished product at the top, followed by individual components and materials. 5 Source: https://www.investopedia.com/terms/b/bill-of-materials.asp

  6. What is SBOM? 6 Source: https://tmap.net/node/704

  7. What is SBOM? 7 Source: https://tmap.net/node/704

  8. What is SBOM? - A Software Bill of Materials (SBOM)

    is a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. 8 Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_faq_-_april_15_draft.pdf

  9. Why SBOM? - Provides insight into used components and dependencies

    - Life-cycle management - Effective security management - U.S. EXECUTIVE ORDER 14028 - Formats - SPDX - CycloneDX 9 Sources: https://tmap.net/node/704 https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity

  10. Formats - SPDX - CycloneDX - Software Identification Tags -

    PURL - CPE - SWID (replaces deprecated CPE) 10 Sources: https://scribesecurity.com/de/sbom/standard-formats/#spdx-sbom-standard-format https://www.wiz.io/academy/standard-sbom-formats

  11. Formats (SPDX) 11

  12. Formats (SPDX) 12

  13. Formats (SPDX) 13

  14. Formats (CycloneDX) 14

  15. Formats (CycloneDX) 15

  16. Formats (CycloneDX) 16

  17. Tooling 17

  18. VEX - Vulnerability Exploitability eXchange - “companion artifact to SBOM”

    (NTIA) - specifies the “status” of the present vulnerability - formats - OpenVEX - CycloneDX 18 Sources: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_framing_sharing_july9.pdf https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms

  19. Formats (SARIF) 19

  20. Formats (OpenVEX) 20

  21. Formats (CycloneDX) 21

  22. DEMO

  23. Thank You!

  24. Next step Source: https://slsa.dev/

  25. Q/A - Discussion