Explore the critical aspects of ensuring trustworthy Software Bill of Materials (SBOMs) in this 29-minute conference talk from the Cloud Native Computing Foundation (CNCF). Delve into the often-overlooked elements of SBOM reliability throughout its lifecycle, from generation to storage, distribution, and processing. Learn to identify potential pitfalls and ask crucial questions about your organization's SBOM practices. Discover how to leverage open-source tools and specifications such as in-toto attestations, Content Addressable Store, Supply-chain Levels for Software Artifacts (SALSA), and Sigstore to create uniquely identifiable, unforgeable, complete, and accessible SBOMs. Gain insights into implementing end-to-end SBOM solutions and other metadata like VEX and vulnerability scans that meet the highest trust standards required in future Software Supply Chains.
SBOMs That You Can Trust - The Good, the Bad, and the Ugly
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
SBOMs That You Can Trust - the Good, the Bad, and the Ugly - Miguel Martinez & Daniel Liszka
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
SBOM X-Ray Superpowers: Making Better SBOMs and Using SBOMs
-
SBOMs, VEX, and Kubernetes - Software Supply Chain Security in Cloud Native Environments
-
Auto Generate SBOMs for Open Source Projects in Any Language and Platform
-
The Evolution of SBOMs in AlmaLinux
-
GUAC Verification for Software Supply Chain Security
-
Software Bill of Materials (SBOM) in Kubernetes - Best Practices and Approaches
