SBOMs in practice
DESCRIPTION
SBOMs (Software Bill of Materials) are becoming increasingly important: as an inventory of all third-party components used in a software, they are an important building block for ensuring supply chain security, but can also help with compliance tasks such as licence or asset management. In the USA, SBOMs are already mandatory for the delivery of software to authorities and will also be required in the EU for products with digital elements under the Cyber Resilience Act.
The handling of SBOMs is still relatively new and contains a number of pitfalls, both in terms of generation and consumption. What content belongs in a good SBOM? How can I produce an SBOM with all the desired information? How can I efficiently check whether a received SBOM contains all the desired information?
At the start of the presentation, we will give an overview of the various SBOM specifications and take a look at the use cases that are supported by SBOMs. In the main part, we will use practical examples to show how SBOMs can be created and processed for supply chain security and compliance. We will discuss good practices for procedures and show open source tools that have proven useful when working with SBOMs. At the end, there will be time for an outlook on other topics in the SBOM environment, such as VEX documents (Vulnerability Exploitability eXchange).
WHY THE COMMITTEE CHOSE THIS TALK
There are a lot of tools to generate different types of BOMs. Stefan will give us an overview and showcase how you can work with BOMs in real world security.
SPEAKER
