Daniel Liszka, Chainloop

You might be on the journey of adopting Software Bill of Materials (SBOMs) in your organization. What if I tell you that your SBOMs might be useless and even harmful? During this talk, we’ll discuss the overlooked aspect of ensuring the trustworthiness of the SBOM during its lifecycle, from generation to storage, distribution, and processing. We’ll shed some light on the questions you should ask about your SBOMs, who, and how you can achieve trust at each step of their lifecycle.

We’ll dip our toes into the why now, and how we can leverage OpenSource tools and specifications like in-toto attestations, Content Addressable Store, Supply-chain Levels for Software Artifacts (“salsa”), or Sigstore to have SBOMs that are uniquely identifiable, unforgeable, complete, and available. After this talk, you’ll know how to implement SBOM end-to-end (or other metadata such as VEX, vuln scan, test result) that meets the highest levels of trust required in the Software Supply Chains of the future. We will demo Chainloop Open Source, how to use it to collect, store, discover and process SBOMs and other Software Supply Chain metadata, evidence, VEX, etc. via Chainloop integration like Dependency Track.

daniel-liszka-nsss_2024_sboms_that_you_can_trust

Open Source Security Foundation

Print This Page Print This Page