As software is increasingly integrated with many third party components, particularly open-source components, it is essential to have a clear understanding of all of the software that is being deployed. With an increasing focus on improving the Cybersecurity of the many different parts of the supply chain, there is a growing expectation that a Software Bill of Materials (SBOM) will become a key artefact of any software component to help capture all of the software assets being used. This talk will briefly introduce the concept of SBOMs and show how a number of Python tools will help in the production, management and use of SBOMs as part of a system lifecycle.
The US Executive Order 14028 (improving the nation's cybersecurity) released in May 2021 significantly raised the profile of Software Bill of Materials (SBOMs) as an important artefact to help in improving the cybersecurity of deployed products and systems. However despite a growing awareness of SBOMs in the past 2 years, particularly in some market sectors, the adoption and use of SBOMs is still not widespread. In part this is due to the SBOM use cases not being understood and in part due to the lack of suitable tooling to help in the generation (although some signficant progress is now being made), the management and use (or consumption) of SBOMs as part of ongong system processes.
This talk will identify some key use cases which SBOMs can be used and then identify how a number of open source tools and libraries (all developed in Python) can help. There will be a particular emphasis on showing how the tools can use SBOMs to help understand the risks associated with the use of a software artefact, particularly those produced (and hopefully maintained) by others.