SlideShare a Scribd company logo

SBOM, Is It 42?

Bill Bensing
Bill Bensing

The document is a presentation on SBOMs (Software Bill of Materials) given by Bill Bensing. It discusses the history of SBOMs including key standards and the 2021 US Executive Order mandating their use. It outlines the reasons for using SBOMs such as identifying license, vulnerability, and component issues. The presentation covers SBOM basics, challenges around current tooling and automation, and provides guidance on effective SBOM processes.

Technology
1 of 92
Download to read offline
v1.0.0 DevOps Days Tampa Bay - 2022 SBOM, Is It 42? Bill Bensing October 21, 2022 1
v1.0.0 Beyonce Rule 2 If You Like It, Then You Should Tweet On It @BillBensing
v1.0.0 3 “Make the right way, the easy and default way, for anyone who wants to build software.” Bill Bensing Global Lead - Application Delivery Red Hat Customer Success
v1.0.0 4 Investments Unlimited A Novel About DevOps, Security, Audit Compliance, and Thriving in the Digital Age By Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Dr. Tapabrata "Topo" Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis https:/ /itrevolution.com/investments-unlimited-book
v1.0.0 5 ! WARNING !
v1.0.0 6 I Have Never Watched Hitchhiker's Guide All The Way Through
v1.0.0 7 Do You Know What 42 Is?
v1.0.0 8 The Answer To Life…
v1.0.0 9 I Only Know What 42 Means Because Of Jeopardy
v1.0.0 10 So…
v1.0.0 11 I Will Not Get ANY Movie References Beyond 42
v1.0.0 12 Well, the ones not included in this talk.
v1.0.0 13 The Bottom Line Up Front
v1.0.0 14 If You Do Not Have Good SCA Hygiene
v1.0.0 15 SCA Software Composition Analysis
v1.0.0 16 Focus on SCA First
v1.0.0 17 Then, Think About SBOMs
v1.0.0 18 1. Brief SBOM History 2. Why An SBOM? 3. SBOM Basics 4. SBOM Problems 5. Hitchhiker's Guide to SBOMs Agenda
v1.0.0 Brief SBOM History 19
v1.0.0 SBOM History 20 ▸ No “Source of Truth” for history ▸ 2010 - SPDX created (Linux Foundation) ▸ 2017 - CycloneDx Created (OWASP)
v1.0.0 Two Main Types (Formats) of SBOMs 21 The Diagnosis Source: https://www.settletop.com/insights/understanding-sbom-standards-cyclonedx-spdx-swid ● Software Package Data Exchange ● Focus on open source license compliance ● More focused on vulnerability and security ● Open source license, vulnerability identification, outdated component analysis SPDX CycloneDX
v1.0.0 SBOM History 22 The Diagnosis
v1.0.0 23 Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Executive Order on Improving The Nation’s Cybersecurity May 12, 2021
v1.0.0 24 Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Sec. 2. Removing Barriers to Sharing Threat Information. (vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website; Sec. 2. Removing Barriers to Sharing Threat Information. (f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM. Executive Order on Improving The Nation’s Cybersecurity May 12, 2021
v1.0.0 25 Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ CISA Binding Operational Directive - BOD 22-01 Nov. 03, 2021
v1.0.0 Why An SBOM 26
v1.0.0 27 Analogy - A Food Label Tells You What You’re Consuming
v1.0.0 28 So, Why use SBOMs?
v1.0.0 29 SBOMs are Decision Support for Software Composition
v1.0.0 30 Focused On Software & System Composition Analysis
v1.0.0 31 1. License Evaluation
v1.0.0 32 2. Known Vulnerabilities
v1.0.0 33 3. Outdated Components
v1.0.0 34 Two Additional Aspects of Software
v1.0.0 35 Pedigree
v1.0.0 36 Provenance
v1.0.0 37 SBOMs Help Us To Answer Questions Such As…
v1.0.0 38 How Do We Detect The Next Log4Shell?
v1.0.0 The Problem 39 What Does It Mean To Detect Log4Shell? ▸ Companies want ・ Be notified as soon as possible of a vulnerability is identified ・ Needs to know what specific software is affected ・ Needs to know where the affected software is stored, or running ▸ This information is the basis of their plans to resolve the problem.
v1.0.0 The Problem 40 What Does It Mean To Detect Log4Shell? ▸ How It Happens ・ Detect vulnerability when I build software ・ Detect vulnerability while my software is at rest, in a repository ・ Detect vulnerability while my software is running in production ・ Detect vulnerability when I download public repos to my internal repo mirrors ・ Detect vulnerability when I deploy my software
v1.0.0 SBOM Basics 41
v1.0.0 42 Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Executive Order on Improving The Nation’s Cybersecurity May 12, 2021
v1.0.0 43 Source: https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom NTIA Response To The Executive Order July 12, 2021
v1.0.0 44 Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ NTIA Response To The Executive Order July 12, 2021 NTIA SBOM Fields SPDX CycloneDx Supplier Name (3.5) PackageSupplier: publisher Component Name (3.5) PackageSupplier: name Unique Identifier (3.2) SPDXID: bom/serialNumber and component/bom-ref Version String (3.3) PackageVersion: version Component Hash (3.10) PackageChecksum: hash Relationship (3.10) PackageChecksum: CONTAINS (Nested assembly/subassembly and/or dependency graphs) Author Name (2.8) Creator: bom-descriptor:metadata/manufacture/contact
v1.0.0 45 Source:https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf
v1.0.0 Classifying SBOM Tools 46 Tools Types That Produce SBOMS Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf ▸ Build ・ SBOM is automatically created as part of building a software artifact and contains information about the build. ▸ Manual ・ A person will manually fill in the SBOM information ▸ Analysis ・ Analysis of source or binary files will generate the SBOM by inspection of the artifacts and any associated sources.
v1.0.0 Classifying SBOM Tools 47 Tool Types That Consume SBOMs Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf ▸ View ・ Understand the contents in human readable form (picture, figures, tables, text.). Use to support decision making & business processes. ▸ Diff ・ Compare two documents of a given formation and clearly see the differences. For instance, comparing between two versions of a piece of software. ▸ Import ・ Import an SBOM into your system for further processing.
v1.0.0 Classifying SBOM Tools 48 Tools Types That Transform SBOMs Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf ▸ Translate ・ Change from one file type to another file type while preserving the same information. ▸ Merge ・ Multiple sources of documents can be merged together for analysis and audit purposes ▸ Tool Support ・ Support use in other tools by APIs, object models, libraries, or other reference sources.
v1.0.0 49 Two Guiding Principles
v1.0.0 50 GP #1 Scan Once, Continuously Verify
v1.0.0 Scan Once, Continuously Verify 51 #1 Guiding Principle ▸ Generate an SBOM in your CI pipeline ▸ Persist the SBOM ▸ Evaluate the SBOM ・ Hourly/Daily/Weekly automated reviews ・ Ad-Hoc notifications & queries
v1.0.0 52 GP #2 CIA Assessment For Action
v1.0.0 CIA Assessment for Actions 53 #2 Guiding Principle Source: (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition ▸ Confidentiality ・ Measures used to ensure the protection of the secrecy of data, objects, or resources. ▸ Integrity ・ Concept of protecting the reliability and correctness of data. ▸ Availability ・ Authorized subjects are granted timely and uninterrupted access to objects.
v1.0.0 SBOM Problems 54
v1.0.0 55 If I Gave You an SBOM Today
v1.0.0 56 How Would You Handle It?
v1.0.0 57 What Would You Do With It?
v1.0.0 58 What Actions Would It Drive?
v1.0.0 59 My Bet…
v1.0.0 60 NONE At Least Right Now
v1.0.0 61 Why?
v1.0.0 62 Answer My Question With Another Question
v1.0.0 63 How Does Your Own SCA Work?
v1.0.0 64 Non-Existent? Poorly? Good?
v1.0.0 65 How Would You Use An SBOM To…
v1.0.0 66 Assess Known Vulnerabilities?
v1.0.0 67 Or…
v1.0.0 68 Take Action On An Outdated Component?
v1.0.0 69 To Do This Well
v1.0.0 70 100% Automated Software Testing
v1.0.0 71 For Example…
v1.0.0 72 Can You Auto-Merge A POM Revision In Your Company?
v1.0.0 73 Without Breaking All The Things?
v1.0.0 74 SBOMs Are Great For Helping To Make Decisions
v1.0.0 75 BUT…
v1.0.0 76 If You Can’t Take Effective Action
v1.0.0 77 What Is This All Worth Then?
v1.0.0 Hitchhiker’s Guide to SBOMs 78
v1.0.0 79 Don’t Forget Your Towel (aka SCA)
v1.0.0 80 #1 Effective SCA Process For SDLC
v1.0.0 81 #2 Automated SBOM Generation
v1.0.0 82 #3 Automated SBOM Ingestion
v1.0.0 83 AutoGov Demo
v1.0.0 84 So Long, And Thanks For All The Fish
v1.0.0 linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat No Questions Just Conversations 85 Bill Bensing Red Hat Customer Success Global Lead - Application Delivery Home billbensing.com LinkedIn linkedin.com/in/billbensing Twitter @BillBensing
v1.0.0 86 You Probably Don’t Need An SBOM Capability
v1.0.0 87 Just Yet, Unless…
v1.0.0 88 Your Customer Requires One
v1.0.0 89 By Customer, I Mean…
v1.0.0 90 A U.S. Government Entity
v1.0.0 91 SBOM Is Being Driven By the U.S. Government
v1.0.0 92 Directly To The Defense Industrial Base

Recommended

Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMsWeaveworks
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nistNaveen Koyi
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 

Recommended

Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMsWeaveworks
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nistNaveen Koyi
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Amazon Web Services
 
DevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
DevSecOps - CI/CD com Pentest e Análise de VulnerabilidadesDevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
DevSecOps - CI/CD com Pentest e Análise de VulnerabilidadesVagner Rodrigues Fernandes
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...Amazon Web Services
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CDCprime
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0toots marcelo
 
2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch TuesdayIvanti
 

More Related Content

What's hot

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Amazon Web Services
 
DevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
DevSecOps - CI/CD com Pentest e Análise de VulnerabilidadesDevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
DevSecOps - CI/CD com Pentest e Análise de VulnerabilidadesVagner Rodrigues Fernandes
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...Amazon Web Services
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CDCprime
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 

What's hot (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply Chains
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
 
DevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
DevSecOps - CI/CD com Pentest e Análise de VulnerabilidadesDevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
DevSecOps - CI/CD com Pentest e Análise de Vulnerabilidades
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
CI/CD Best Practices for Building Modern Applications - MAD302 - Anaheim AWS ...
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Transforming Organizations with CI/CD
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency Check
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 

Similar to SBOM, Is It 42?

2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch TuesdayIvanti
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceCasey Ellis
 
Beacosystem Talk @ MongoDB User Group Dublin @sos100
Beacosystem Talk @ MongoDB User Group Dublin @sos100Beacosystem Talk @ MongoDB User Group Dublin @sos100
Beacosystem Talk @ MongoDB User Group Dublin @sos100Sean O'Sullivan
 
Walking Through Spring Cloud Data Flow
Walking Through Spring Cloud Data FlowWalking Through Spring Cloud Data Flow
Walking Through Spring Cloud Data FlowVMware Tanzu
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats FasterForce 3
 
Kubernetes Hardening Guidance
Kubernetes Hardening GuidanceKubernetes Hardening Guidance
Kubernetes Hardening GuidanceAlex492583
 
cyber defense.pptx
cyber defense.pptxcyber defense.pptx
cyber defense.pptxssuser649aaa
 
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!Steven Rhyner
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug BountiesAusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug BountiesCasey Ellis
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservicedevopsdaysaustin
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
2021 October Patch Tuesday
2021 October Patch Tuesday2021 October Patch Tuesday
2021 October Patch TuesdayIvanti
 
5 top techniques for testing blockchain apps
5 top techniques for testing blockchain apps5 top techniques for testing blockchain apps
5 top techniques for testing blockchain appsCigniti Technologies Ltd
 
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...DevOpsDays Tel Aviv
 
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...Francisco Climent Pérez
 

Similar to SBOM, Is It 42? (20)

Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0
 
2022 December Patch Tuesday
2022 December Patch Tuesday2022 December Patch Tuesday
2022 December Patch Tuesday
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
 
Beacosystem Talk @ MongoDB User Group Dublin @sos100
Beacosystem Talk @ MongoDB User Group Dublin @sos100Beacosystem Talk @ MongoDB User Group Dublin @sos100
Beacosystem Talk @ MongoDB User Group Dublin @sos100
 
Walking Through Spring Cloud Data Flow
Walking Through Spring Cloud Data FlowWalking Through Spring Cloud Data Flow
Walking Through Spring Cloud Data Flow
 
Detect Threats Faster
Detect Threats FasterDetect Threats Faster
Detect Threats Faster
 
Pcidss
PcidssPcidss
Pcidss
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
 
Kubernetes Hardening Guidance
Kubernetes Hardening GuidanceKubernetes Hardening Guidance
Kubernetes Hardening Guidance
 
cyber defense.pptx
cyber defense.pptxcyber defense.pptx
cyber defense.pptx
 
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug BountiesAusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Kinect Lab Pt.
Kinect Lab Pt.Kinect Lab Pt.
Kinect Lab Pt.
 
2021 October Patch Tuesday
2021 October Patch Tuesday2021 October Patch Tuesday
2021 October Patch Tuesday
 
5 top techniques for testing blockchain apps
5 top techniques for testing blockchain apps5 top techniques for testing blockchain apps
5 top techniques for testing blockchain apps
 
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
 
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

SBOM, Is It 42?