SBOMs & CycloneDX with Steve Springett
@BEERISAC: OT/ICS Security Podcast Playlist
English - August 24, 2023 12:45 - 1 hour - ★★★★★ - 2 ratingsTechnology Business listen notes listen later Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Podcast: Unsolicited Response (LS 34 · TOP 5% what is this?)
Episode: SBOMs & CycloneDX with Steve Springett
Pub date: 2023-08-23
Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs.
In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX
If you know the basics, skip to 14:24 where we get into the details
Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and moreLinks
CycloneDX document: Authoritative Guide To SBOM
ICS-Patch (what to patch when in ICS / risk based decision tree)
The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.