Practical Software Bill of Materials: From Generation to Distribution Workshop

Описание: Adolfo García Veytia (Carabiner Systems, MX), Ian Dunbar-Hall (Lockheed Martin, US), Michael Lieberman (Kusari, US)

For the past couple of years, Adolfo García Veytia has been working to secure big open-source projects such as Kubernetes. Adolfo primarily focuses on SBOM tooling, provenance generators, and thinking and designing future uses and implementations at scale. Adolfo is a regular contributor to cloud native projects, the SPDX and OpenVEX projects, and regularly participate in SBOM groups and forums on the OpenSSF and elsewhere.

Ian Dunbar-Hall leads Lockheed Martin's Open Source Program Office and specializes in DevSecOps and full stack engineering. Additionally he is a maintainer on SBOMit and bomctl. He is also an OpenSSF Governing Board General Member Representative.

Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.
--
This workshop provides an in-depth overview of Software Bill of Materials (SBOMs) in real world usage. It details the SBOM generation lifecycle, covering effective generation using tools like Syft and Trivy, augmentation with essential metadata to meet NTIA Minimum Elements, and best practices for signing and consolidating SBOMs. It also emphasizes validation techniques to ensure schema compliance and outlines the use of tools like OpenSSF’s GUAC and OWASP Dependency-Track for analysis and continuous monitoring. Finally, it explores strategies for SBOM sharing and distribution, including OpenSSF naming conventions and ecosystem-specific approaches to facilitate widespread adoption and integration.