![Unsolicited Response artwork](https://is3-ssl.mzstatic.com/image/thumb/Podcasts113/v4/67/7d/bf/677dbf92-cee0-9e43-7362-7bd9d94d7b8e/mza_1994127428239385031.jpg/100x100bb.jpg)
SBOMs & CycloneDX with Steve Springett
Unsolicited Response
English - August 23, 2023 09:17 - 1 hour - 64.5 MB - ★★★★★ - 12 ratingsTechnology iiot dalepeterson digitalbond icssecurity scadahacking scadasecurity Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: The OT Cybersecurity / Climate Nexus with Andy Bochman
Next Episode: Cyber-Physical Attacks with Marina Krotofil
Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs.
In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX
If you know the basics, skip to 14:24 where we get into the details
Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and moreLinks
CycloneDX document: Authoritative Guide To SBOM
ICS-Patch (what to patch when in ICS / risk based decision tree)