The document is a presentation on SBOMs (Software Bill of Materials) given by Bill Bensing. It discusses the history of SBOMs including key standards and the 2021 US Executive Order mandating their use. It outlines the reasons for using SBOMs such as identifying license, vulnerability, and component issues. The presentation covers SBOM basics, challenges around current tooling and automation, and provides guidance on effective SBOM processes.
3. v1.0.0
3
“Make the right way, the easy and
default way, for anyone who wants to
build software.”
Bill Bensing
Global Lead - Application Delivery
Red Hat Customer Success
4. v1.0.0
4
Investments Unlimited
A Novel About DevOps, Security, Audit Compliance, and
Thriving in the Digital Age
By Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Dr. Tapabrata "Topo"
Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis
https:/
/itrevolution.com/investments-unlimited-book
20. v1.0.0
SBOM History
20
▸ No “Source of Truth” for history
▸ 2010 - SPDX created (Linux Foundation)
▸ 2017 - CycloneDx Created (OWASP)
21. v1.0.0
Two Main Types (Formats) of SBOMs
21
The Diagnosis
Source: https://www.settletop.com/insights/understanding-sbom-standards-cyclonedx-spdx-swid
● Software Package Data Exchange
● Focus on open source license compliance
● More focused on vulnerability and security
● Open source license, vulnerability
identification, outdated component analysis
SPDX CycloneDX
24. v1.0.0
24
Source: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Sec. 2. Removing Barriers to Sharing Threat Information.
(vii) providing a purchaser a Software Bill of Materials
(SBOM) for each product directly or by publishing it on a
public website;
Sec. 2. Removing Barriers to Sharing Threat Information.
(f) Within 60 days of the date of this order, the Secretary of
Commerce, in coordination with the Assistant Secretary for
Communications and Information and the Administrator of
the National Telecommunications and Information
Administration, shall publish minimum elements for an SBOM.
Executive Order on Improving The Nation’s Cybersecurity
May 12, 2021
39. v1.0.0
The Problem
39
What Does It Mean To Detect Log4Shell?
▸ Companies want
・ Be notified as soon as possible of a vulnerability is identified
・ Needs to know what specific software is affected
・ Needs to know where the affected software is stored, or
running
▸ This information is the basis of their plans to resolve the problem.
40. v1.0.0
The Problem
40
What Does It Mean To Detect Log4Shell?
▸ How It Happens
・ Detect vulnerability when I build software
・ Detect vulnerability while my software is at rest, in a repository
・ Detect vulnerability while my software is running in production
・ Detect vulnerability when I download public repos to my
internal repo mirrors
・ Detect vulnerability when I deploy my software
46. v1.0.0
Classifying SBOM Tools
46
Tools Types That Produce SBOMS
Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf
▸ Build
・ SBOM is automatically created as part of building a software
artifact and contains information about the build.
▸ Manual
・ A person will manually fill in the SBOM information
▸ Analysis
・ Analysis of source or binary files will generate the SBOM by
inspection of the artifacts and any associated sources.
47. v1.0.0
Classifying SBOM Tools
47
Tool Types That Consume SBOMs
Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf
▸ View
・ Understand the contents in human readable form (picture,
figures, tables, text.). Use to support decision making &
business processes.
▸ Diff
・ Compare two documents of a given formation and clearly see
the differences. For instance, comparing between two versions
of a piece of software.
▸ Import
・ Import an SBOM into your system for further processing.
48. v1.0.0
Classifying SBOM Tools
48
Tools Types That Transform SBOMs
Source: https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf
▸ Translate
・ Change from one file type to another file type while preserving
the same information.
▸ Merge
・ Multiple sources of documents can be merged together for
analysis and audit purposes
▸ Tool Support
・ Support use in other tools by APIs, object models, libraries, or
other reference sources.
53. v1.0.0
CIA Assessment for Actions
53
#2 Guiding Principle
Source: (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition
▸ Confidentiality
・ Measures used to ensure the protection
of the secrecy of data, objects, or
resources.
▸ Integrity
・ Concept of protecting the reliability and
correctness of data.
▸ Availability
・ Authorized subjects are granted timely
and uninterrupted access to objects.