September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Wednesday, September 29 • 3:55pm - 4:45pm
(IN-PERSON) Secure Your Supply Chain: Adding a Software Bill of Materials to Your Containers to Improve Vulnerability Scanning - Paul Novarese, Anchore

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Vulnerability checks are seen as a commodity for software publishers and consumers, but these checks aren’t all the same. How you conduct these scans has a massive effect on the number of both false positives and false negatives your evaluations contain. Likewise, it’s easy to think of these checks as a one-time act of due diligence. However, information about vulnerabilities is continuously evolving, so you need to be continuously evaluating your software. Using a software bill of materials (SBOM) can give you faster checks and more accurate results. Faster checks enable continuous evaluation, meaning that problems can be detected sooner and fixed faster (and with less disruption to production). In this presentation, we will introduce the software bill of materials, discuss how SBOMs are compiled, and examine how SBOMs can be a force multiplier for your vulnerability checks (increasing speed and accuracy). We will then look at the landscape of open source tools for creating SBOMs (with an eye on container images), how SBOM-enabled checks can be incorporated into CICD pipelines, and how SBOMs are used beyond the pipeline to provide continuous vulnerability awareness. We’ll wrap up by surveying additional benefits of generating SBOMs beyond simple vulnerability checks.

avatar for Paul Novarese

Paul Novarese

Solutions Architect, Anchore
Paul is a solution architect and Kubernetes security advocate with Anchore. He has a wide-raging background in open source and customer success programs at companies like Docker, Red Hat and HP and has been focused on container platforms for over five years. Paul is passionate about... Read More →

Wednesday September 29, 2021 3:55pm - 4:45pm PDT
Room 501
  OS Dependability, Container & Infrastructure Security