Software Bill of Materials (SBOMs) have emerged as a powerful tool for guiding supply chain security in modern software development environments. As an 'ingredients list' of files, package dependencies and other artefacts that a piece of software is made up of, Software Bill of Materials are becoming an essential part of modern software development practices.
Open source software provides great transparency and can yield rapid vulnerability patching, but this is too often compromised by sprawling dependency trees which make it difficult to find vulnerable components in larger software projects. With SBOMs, there's a way of effectively cataloguing software components and the package metadata needed to check the integrity, pedigree and provenance of software supply chains. This talk will cover the benefits of having a common standard for creating, sharing and consuming Software Bill of Materials, what SBOMs should and should not contain, and how to use SBOMs to inform security measures across the diverse range of package ecosystems.
In particular, this talk will cover the distinctive qualities of effective Software Bill of Materials:
Immutability - it may be tempting to include known vulnerabilities and other dynamic data in SBOMs, but this leads to uncertainty and duplication of effort when that data inevitably changes. This talk will show how to link dynamic data into SBOMs in a way that maintains the SBOM's immutability.
Verifiability - it's hard to trust an SBOM when you can't verify that its contents are correct. Including robust cryptographic hashes is a critical part of creating SBOMs. This talk will show how relationships in SBOMs can be used to associate the hashes of build artefacts with source code, providing a way to trace back to the original projects even when programs are statically linked!
Compatibility - no one program can check for vulnerabilities of all the different types and across all package ecosystems, so the use of SBOMs as a compatible format for communication between security tools is essential for dependency analysis at scale. This talk will cover the current state of compatibility between security tools, concluding with practical ways that developers can integrate SBOM creation and ingestion into their build systems.
Speakers: Sebastian Crane