Navigating the SBOM landscape: Formats, relevance, and tooling in 2024 @ BSides Bristol '24

Transcript

1. N a vig a ting the SBOM l a ndsc

   a pe: Form a ts, relev a nce, a nd tooling in 2024 Viktor Petersson vpetersson.com

2. $ who a mi

3. Wh a t a re SBOMs?

4. Why now?

5. Wh a t a re SBOMs used for?

6. An a lysis Coll a bor a tion Gener a

   tion

7. Gener a tion

8. The e a sy w a y. Kind a .

9. The form a t w a r

10. from

11. from

12. The tools

13. Generic

14. Dom a in speci f ic tools

15. Completeness & enrichment

16. Tr a nsitive vs. prim a ry dependencies

17. None

18. Source vs. Build vs. Run

19. But w a it...there's more

20. Product SBOM Project SBOM(s) Component SBOM(s) Smart Thermostat Backend IoT

    Device Python SBOM Node SBOM Docker SBOM Rust SBOM Project SBOM Project SBOM

21. But wh a t a bout security?

22. Coll a bor a tion

23. H a ndling SBOMs tod a y feels like m

    a n a ging source code in the 90s, with p a tches sent over em a il.

24. Vendor 1 sbomify Vendor 2 Vendor 3 Buyer 1 Buyer

    2 Buyer 3 SBOM(s) SBOM(s) SBOM(s) Compliance Audit Security Audit License Audit

25. An a lysis

26. None

27. Big Picture

28. Product SBOM Project SBOM(s) Component SBOM(s) Smart Thermostat Backend IoT

    Device Python SBOM Node SBOM Docker SBOM Rust SBOM Project SBOM Project SBOM

29. OBOM CBOM SaaSBOM HBOM ML-BOM VEX Product SBOM Smart Thermostat

30. St a te of SBOMs

31. None
32. None
33. None

34. Q & A

35. More re a ding • NTIA Minimum Elements • Fr

    a ming Softw a re Component Tr a nsp a rency: Est a blishing a Common Softw a re Bill of M a teri a ls (SBOM) (2nd edition) • 3nd edition is rele a sed shortly • SBOM Resources • CISA Working Group: SBOM Gener a tion • Sh a meless self plug: sbomify • Slides will be a v a il a ble on vpetersson.com/ a bout Sc a n for deep dive!