Getting down and dirty with SBOMs
by Colby Prior | - 12:45pm
This talk will deep dive into Software Bill of Materials (SBOM) from both a technical level but also on a risk management level. SBOMs are not a new technology but recent government pushes are increasing their relevance. Publishing a SBOM for a software vendor is more complicated than running a simple CLI tool. Colby will run through his experience of introducing external facing SBOMs for customers for Octopus Deploy.
The structure of this presentation will be:
- The anatomy of a SBOM
- Overview of the legal and compliance space for SBOMs
- How to manage vulnerabilities with Vulnerability Exploitability eXchange (VEX)
- Deep dive into the pointy end of SBOM generation at development, build and publish times
- What you should do about SBOMs as a software consumer
- What you should do as a developer or software vendor
- Risks and benefits of supplying a SBOM as a software vendor
Key takeaways of this talk will be a deeper technical understanding of generating SBOMs and an action plan for requesting SBOMs and responding to vulnerabilities.
About Colby Prior
Colby Prior is a seasoned DevSecOps engineer specializing in security automation, cloud infrastructure, and threat detection. Currently serving as a Security Operations Engineer at Octopus Deploy, Colby has a rich background in designing and implementing security controls within DevOps environments, integrating security testing into the software development lifecycle, and automating security tasks.