SBOMs: What are they good for?

Security bloggers and compliance folks love to talk about SBOMs (software bills of materials), but what is an SBOM? And more importantly, what is it good for? Come to this talk to learn to make and inspect SBOMs, and answer questions like: Are we running log4j? Are we running any open source code whose license could get us in trouble? Or maybe whose license terms recently changed? Is there a copy of this exact file anywhere in our production images? And many more.

In this talk, you’ll learn to use Syft, a free and open source tool for generating SBOMs, to answer all these questions, plus Grype and Grant (also free and open source) to scan SBOMs for more detailed information about known vulnerabilities and license compliance.

Agenda:
06:00 - 06:10 Welcome & Networking
06:10 - 06:15 Announcements
06:15 - 07:15 Main presentation
07:15 - 07:25 Q&A
07:25 - 07:30 Wrap-up

Speaker: Will Murphy
Will Murphy is a Senior Software Engineer focused on containers, security, and Go. He currently works on software supply chain security at Anchore, where he is a maintainer of Syft, Grype, Vunnel, and a few other tools. Before Anchore, he worked on internal developer tooling at Amazon Web Services, worked on the CloudFoundry CLI at Pivotal, and built parts of MyUSCIS.

Before becoming a software engineer, Will taught high school Latin, worked as a technical writer, and briefly taught English as a second language overseas. On the weekends, you can find Will playing board games with his family, hacking on side projects, and haunting local coffee shops. He blogs occasionally at https://willmurphy.me/.

Sponsor: Special thanks to Terazo for hosting us again!