Menu
A radiography of a SBOM vulnerability scanner
Olimpiu is a technology executive, who balances his tech savviness with a focus on people and their wellbeing. A constant explorer of new technology trends, he enjoys digesting and spreading knowledge through podcasts or written articles. He is a strong believer in the power of communities and open source, getting involved in technical community building and curating content for conferences as program committee.
Even though he started working with Java in the days of the 1.4 JDK, lately he explored other ecosystems like JS and Go continuously trying to learn other languages and paradigms.
You can find content curated or written by him on JavaAdvent and InfoQ. For the daily dose of cybersecurity and open source 505updates.com.
Developer Advocate, Security Champion, DevOps practitioner (whatever that means) Long time Java developer, leader and evangelist. I’ve been working on Java SDKs and JVMs since Java was less than 1. JavaOne Rockstar, JSR leader and representation, Committer on open source projects including ones at Apache, Eclipse and OpenJDK. A seasoned speaker and regular presenter at international conferences on technical and software engineering topics.
Abstract
Log4Shell and SpringShell were reminders that a big part of the code we use in our systems is not ours and that the maintainers we rely on have a significant responsibility.Â
The US President’s Executive order 140028 brought to the public the need for improving the nation’s cybersecurity. It was also the start of the SBOM frenzy, which was only accentuated by the congress bill on Securing Open Source Software Act of 2022. If that was not enough, the EU joined the supply chain security bandwagon with the release of the NIS2 directive.
Great! We have the silver bullet to all supply chain issues: the Software Bill Of Materials. Are we done?Â
Sadly that is not the case. Using SBOMs effectively requires us learning about:
- What an SBOM can tell us, and how can it help us?Â
- What tools to use?
- How to use them?Â
- How do they work?
- What are the related formats?
This session will respond to each of these questions. We will also look behind the scenes and explain how an SBOM helps with vulnerability resolution more effectively than dependency scanning and why SBOMs offer more general protection. Where SBOMs fit in your DevSecOps pipeline and what intelligence they can provide to different stakeholders in your organisation (from technical to legal)?
The practical examples will be focused on the following:
- Syft – for SBOM generation and transformations(from one format to another)
- Grype vs bomber – for vulnerability scanning and intelligence
