In-Depth Radiography of an SBOM vulnerability scanner (VIDEO)
June 15, 2023
Olimpiu Pop

Log4Shell and SpringShell served as poignant reminders that a substantial portion of the code integrated into our systems does not originate from us, emphasizing the significant responsibility placed on the maintainers we rely on.

The issuance of Executive Order 140028 by the US President brought the imperative need for bolstering the nation's cybersecurity into the public spotlight. This directive marked the inception of the SBOM frenzy, which gained further momentum with the introduction of the Securing Open Source Software Act of 2022 by Congress. As if that was not enough, the EU joined the movement toward supply chain security with the release of the NIS2 directive.

Fantastic! We now possess the ultimate solution to address all supply chain issues: the Software Bill Of Materials (SBOM). Does this mean our work is complete?

Regrettably, that is not the case. Effectively harnessing the power of SBOMs necessitates acquiring knowledge about:

  • What information an SBOM can provide and how it can assist us.
  • Which tools are suitable for SBOM utilization.
  • How to effectively utilize these tools.
  • Understanding their functionality and operation.
  • Familiarity with related formats.

This session will address each of these questions comprehensively. We will delve into the inner workings of SBOMs and elucidate how they facilitate more efficient vulnerability resolution compared to dependency scanning.

Additionally, we will explore how SBOMs offer broader protection. We will also discuss where SBOMs fit within your DevSecOps pipeline and the valuable intelligence they can offer to various stakeholders within your organization, ranging from technical to legal domains.

The practical examples presented will focus on the following:

  • Syft: For SBOM generation and transformations (converting between different formats).
  • Grype vs. Bomber: For vulnerability scanning and intelligence gathering.

Interested in learning more about and how we can help you and your business thrive through software product engineering? Drop us a line, or follow us on LinkedIn for our latest updates!

Talk to the team