SBOMs that you can trust - the good, the bad, and the ugly
- Track: Software Bill of Materials devroom
- Room: K.4.401
- Day: Sunday
- Start: 13:00
- End: 13:30
- Video only: k4401
- Chat: Join the conversation!
You might be on the journey of adopting Software Bill of Materials (SBOMs) in your organization. What if I tell you that your SBOMs might be useless and even harmful?
During this talk, we'll discuss the overlooked aspect of ensuring the trustworthiness of the SBOM during its lifecycle, from generation to storage, distribution, and processing.
We'll shed some light on the questions you should ask about your SBOMs, who, and how you can achieve trust at each step of their lifecycle.
We'll dip our toes into the why now, and how we can leverage OpenSource tools and specifications like in-toto attestations, Content Addressable Store, Supply-chain Levels for Software Artifacts ("salsa"), or Sigstore to have SBOMs that are uniquely identifiable, unforgeable, complete, and available.
After this talk, you'll know how to implement SBOM end-to-end (or other metadata such as VEX, vuln scan, etc.) that meets the highest levels of trust required in the Software Supply Chains of the future.
For reference, we'll touch on the following Open Source projects during this talk.
- https://github.com/slsa-framework/slsa
- https://github.com/sigstore/cosign
- https://github.com/opencontainers/distribution-spec
- https://github.com/chainloop-dev/chainloop
Speakers
Daniel Liszka | |
Miguel Martinez Trivino |