@BEERISAC: OT/ICS Security Podcast Playlist artwork

SBOMs & CycloneDX with Steve Springett

@BEERISAC: OT/ICS Security Podcast Playlist

English - August 24, 2023 12:45 - 1 hour - ★★★★★ - 2 ratings
Technology Business listen notes listen later Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Cyber Women-3: Sara Bitan D.Sc Co-Founder & CEO @CyCloak on women in cyber & PLC vulnerability research
Next Episode: Real world stories of incident response and threat intelligence.

Podcast: Unsolicited Response (LS 34 · TOP 5% what is this?)
Episode: SBOMs & CycloneDX with Steve Springett
Pub date: 2023-08-23



Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs.

In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX

If you know the basics, skip to 14:24 where we get into the details

Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and more

Links

CycloneDX document: Authoritative Guide To SBOM

ICS-Patch (what to patch when in ICS / risk based decision tree)

S4x24 CFP



The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.