[VDIASI23] - Olimpiu Pop & Steve Poole - A radiography of a SBOM vulnerability scanner

Log4Shell and SpringShell were reminders that a big part of the code we use in our systems is not ours and that the maintainers we rely on have a significant responsibility. The US President’s Executive order 140028 brought to the public the need for improving the nation’s cybersecurity. It was also the start of the SBOM frenzy, which was only accentuated by the congress bill on Securing Open Source Software Act of 2022. If that was not enough, the EU joined the supply chain security bandwagon with the release of the NIS2 directive. Great! We have the silver bullet to all supply chain issues: the Software Bill Of Materials. Are we done? Sadly that is not the case. Using SBOMs effectively requires us learning about: What an SBOM can tell us, and how can it help us? What tools to use? How to use them? How do they work? What are the related formats? This session will respond to each of these questions. We will also look behind the scenes and explain how an SBOM helps with vulnerability resolution more effectively than dependency scanning and why SBOMs offer more general protection. Where SBOMs fit in your DevSecOps pipeline and what intelligence they can provide to different stakeholders in your organisation (from technical to legal)? The practical examples will be focused on the following: Syft – for SBOM generation and transformations(from one format to another) Grype vs bomber – for vulnerability scanning and intelligence