Session Abstract: The topic of SBOM has come to the forefront when discussing how to exchange information about components that make up the software that we produce and use on a daily basis. With Executive Order 14028 signed in 2021, companies that wish to provide software or services to the federal government must provide information on the security of their offerings. This includes providing a Software Bill of Materials which describes the composition of the software they will be procuring. Although straightforward in concept, there are many questions about how to handle these software inventories in day-to-day operations.

Summary: SBOM became the new trend in application security. However, SBOM is an overloaded term with more complexities than dependencies files integrity with build&runtime, and monitoring of those files for vulnerabilities. SBOM is a dynamic process that practices across SDLC.

Additional Information: This session will review where the industry stands regarding SBOMs, the formats and specifications that define a Software Bill of Materials, and the unanswered questions that exist about how to handle these massive inventory files. Topics will provide knowledge based on real world experience on how to handle Software Bill of Materials both on the producer and consumer side, and will provide advice on how to address the question, “What do we do with these documents?”