Niklas Düster, Co-lead, OWASP Dependency Track
Processing SBOMs at scale surfaces a class of problems the standards don’t prepare you for:
- Ambiguous component identity across the various identifiers (coordinates, CPE, PURL, SWID, etc.)
- Hash mismatches that leave you wondering whether you’re looking at the same artifact or a quietly different one
- Partial or contradictory data when multiple SBOMs describe the (supposedly) same thing
- Generators and scanners encoding custom behaviour in non-standard fields
Drawing on years of experience building and maintaining OWASP Dependency-Track and CycloneDX tooling,
this talk takes an honest look at where the ecosystem’s assumptions break down,
and what pragmatic approaches exist for analysis despite imperfect data.
Explore the conference agenda
