SBOMs That You Can Trust - The Good, the Bad, and the Ugly
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Explore the critical aspects of ensuring trustworthy Software Bill of Materials (SBOMs) in this 29-minute conference talk from the Cloud Native Computing Foundation (CNCF). Delve into the often-overlooked elements of SBOM reliability throughout its lifecycle, from generation to storage, distribution, and processing. Learn to identify potential pitfalls and ask crucial questions about your organization's SBOM practices. Discover how to leverage open-source tools and specifications such as in-toto attestations, Content Addressable Store, Supply-chain Levels for Software Artifacts (SALSA), and Sigstore to create uniquely identifiable, unforgeable, complete, and accessible SBOMs. Gain insights into implementing end-to-end SBOM solutions and other metadata like VEX and vulnerability scans that meet the highest trust standards required in future Software Supply Chains.
Syllabus
SBOMs That You Can Trust - the Good, the Bad, and the Ugly - Miguel Martinez & Daniel Liszka
Taught by
CNCF [Cloud Native Computing Foundation]