Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance

Описание: Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon North America in Salt Lake City from November 12 - 15, 2024. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at https://kubecon.io

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google

How do you catalog all the software of Google? This is what was asked of Google from the US White House Executive Order 14028. When the memo dropped stating that we’d need to be ready to provide SBOMs in 6 months, there were a ton of questions… Which products need to have an SBOM? Which format? What tooling? Who’s responsible? Where do we store them? SBOM requirements? Legal? Privacy? In this talk, we will show how Google went from 0 to 100M SBOMs in 6 months, giving insight into the process, principles and lessons learnt. We will chat through both organizational challenges such as translating requirements, getting together many different teams (products, builders, infrastructure, legal, federal etc.), as well as engineering principles such as having builders play a key role in the SBOM generation process, attested SBOMs, and how “less is more”. We will show how our solution was built on top of LF/CNCF technologies like SPDX, SLSA, and Intoto.