Player FMアプリでオフラインにしPlayer FMう!
SBOMs & CycloneDX with Steve Springett
Manage episode 375077070 series 2525086
Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs.
In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX
If you know the basics, skip to 14:24 where we get into the details
- Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use.
- Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements.
- How CycloneDX tries to capture the completeness of and confidence in the SBOM.
- The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward.
- Vulnerabilities ... and why Steve thinks VEX is a missed opportunity.
- Outdated component analysis (this could be very useful in a procurement decision)
- and more
Links
CycloneDX document: Authoritative Guide To SBOM
ICS-Patch (what to patch when in ICS / risk based decision tree)
52 つのエピソード
Manage episode 375077070 series 2525086
Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs.
In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX
If you know the basics, skip to 14:24 where we get into the details
- Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use.
- Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements.
- How CycloneDX tries to capture the completeness of and confidence in the SBOM.
- The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward.
- Vulnerabilities ... and why Steve thinks VEX is a missed opportunity.
- Outdated component analysis (this could be very useful in a procurement decision)
- and more
Links
CycloneDX document: Authoritative Guide To SBOM
ICS-Patch (what to patch when in ICS / risk based decision tree)
52 つのエピソード
Tất cả các tập
×プレーヤーFMへようこそ!
Player FMは今からすぐに楽しめるために高品質のポッドキャストをウェブでスキャンしています。 これは最高のポッドキャストアプリで、Android、iPhone、そしてWebで動作します。 全ての端末で購読を同期するためにサインアップしてください。