Secure Software Development: SBOM

Transcript

1. Secure software development
 SBOM
 Copyright © 2024 The Linux Foundation®.

   All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.


2. About me
 2
 DevOps Engineer @Bosch Service Solutions/ETAS OpenSSF SBOM

   everywhere SIG member 6+ yrs working for major international companies (mainly USA) MBA on Data Science & Analytics USP/Esalq

3. Agenda
 Supply chain attacks cases
 SBOM & Analysis
 Tooling
 Further

   Explorations
 
 3 3


4. Supply Chain


5. Supply Chain
 Components, libraries, tools, processes used to develop, build

   and publish a software artifact 5


6. Supply chain attacks


7. Typosquatting
 boltdb/go/bolt
 
 7


8. boltdb-go/bolt - Typosquatting
 Malicious package impersonating the legit github.com/boltdb/bolt Leverage

   Go module proxy cache mechanism Remote code execution via c2 server Undetected for 3 years 8
 Gopher Illustration by Maria Letta

9. Slopsquatting
 LLM Hallucinations:
 non-existing packages
 
 9


10. Slopsquatting
 10


11. SBOM


12. Components & Dependencies
 12


13. SBOM
 Minimal Elements
 13


14. SBOM Minimal Elements
 A baseline an SBOM should meet •

    Data fields ◦ Author ◦ Software producer ◦ License ◦ Component hash ◦ Dependency relationship 14


15. SBOM
 Analysis & Formats


16. SBOM Analysis
 • Direct and Transient dependencies • Licenses •

    Library Capabilities 16


17. SBOM Analysis: github.com/cli/go-gh v1.2.1
 17


18. SBOM Formats
 • SPDX Open Standard（ISO/IEC I5962:2021） • CycloneDX （Owasp

    and Ecma-424) 18


19. Tooling
 19


20. Tooling
 Cylonedx-gomod - SBOM for Go modules Syft - SBOM

    Generator * Grype - Security Scanner Capslock - Capability analysis for Go Dependency Track - OSS SBOM Analysis Platform 20


21. SBOM
 Further explorations


22. SBOM Further Explorations
 AI Systems Components not captured by minimal

    elements. AI is increasingly embedded in software systems and organizations should retain and improve visibility of the system components to manage risks appropriately. 22


23. References
 Typosquatting Attacks https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence Slopsquatting https://fossa.com/blog/slopsquatting-ai-hallucinations-new-software-supply-chain-risk/ 2025 CISA SBOM Minimum

    Elements https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom Syft https://github.com/anchore/syft Dependency Track https://dependencytrack.org/ Capslock https://github.com/google/capslock Cyclonedx-gomod https://github.com/CycloneDX/cyclonedx-gomod 23


24. References
 CycloneDX https://cyclonedx.org/specification/overview/ https://cyclonedx.org/tool-center/ SPDX https://spdx.dev/about/overview/ https://spdx.dev/use/spdx-tools/ 24


25. Thanks
 Copyright © 2024 The Linux Foundation®. All rights reserved.

    The Linux Foundation has registered trademarks and uses trademarks.