Open Source Summit + Embedded Linux Conference + OSPOCon 2021

Vulnerability checks are seen as a commodity for software publishers and consumers, but these checks aren’t all the same. How you conduct these scans has a massive effect on the number of both false positives and false negatives your evaluations contain. Likewise, it’s easy to think of these checks as a one-time act of due diligence. However, information about vulnerabilities is continuously evolving, so you need to be continuously evaluating your software. Using a software bill of materials (SBOM) can give you faster checks and more accurate results. Faster checks enable continuous evaluation, meaning that problems can be detected sooner and fixed faster (and with less disruption to production). In this presentation, we will introduce the software bill of materials, discuss how SBOMs are compiled, and examine how SBOMs can be a force multiplier for your vulnerability checks (increasing speed and accuracy). We will then look at the landscape of open source tools for creating SBOMs (with an eye on container images), how SBOM-enabled checks can be incorporated into CICD pipelines, and how SBOMs are used beyond the pipeline to provide continuous vulnerability awareness. We’ll wrap up by surveying additional benefits of generating SBOMs beyond simple vulnerability checks.