The Energy SBOM Proof of Concept – sponsored by the Department of Energy and the National Technology and Information Administration – is entering a new education phase. Due to popular demand, we decided to provide an in-depth look at what goes into SBOMs – i.e. what are the ingredients in the software bill of materials cake, anyway?
In fact, we got so carried away
with the cooking metaphor that we’re going to have a series of online “cooking
classes”, at which noted SBOM “chefs” will demonstrate how they combine the
elements of SBOMs
and VEXes,
as well as other ingredients, to produce software transparency. Truth be told,
this is the ultimate goal of the NTIA software component transparency
initiative, of which the energy PoC (and the contemporaneous healthcare and autos
PoCs) is one part.
The first cooking class is next Wednesday,
September 22 at noon ET. Julia Child being unavailable, we were quite happy to engage
Steve Springett, who is co-leader of the OWASP group that develops and supports
CycloneDX, one of the three major SBOM
formats. Steve is also the initiator of the dependency-track “continuous component analysis
platform” (which has been in operation since 2012 and has gained a wide
following in its own right). In a few words, dependency track lets you upload
SBOMs for the software your organization runs and track vulnerabilities found
in components of that software. All for free, of course.
Here’s the webinar information (no
registration is required):
Microsoft Teams meeting
Join on your computer or mobile app
Click here to join the meeting
Or call in (audio only)
+1
208-901-7635,,877158748# United States, Boise
Phone Conference ID: 877 158 748#
Find a local number | Reset PIN
At the following biweekly meeting
on October 6, we’re pleased to have Kate Stewart, VP of Dependable Embedded
Systems (how’s that for a title?) of the Linux Foundation. Kate has been the
leader of the team that developed – and continues to enhance and support - the SPDX format, which started 11 years ago. Two weeks
ago, SPDX was “recognized as the international open standard for security,
license compliance, and other software supply chain artifacts as ISO/IEC
5962:2021.” Quite an achievement!
Both Steve and Kate will do roughly
the following, using a “basic” open source project from an OSS repository like
GitHub:
1.
If possible, share the
URL for the project with our mailing list in advance;
2.
Walk through how to
build an SBOM (in CycloneDX or SPDX format, respectively) based on that project
– with a lot of emphasis on explanation;
3.
Discuss basic use
cases for the SBOM; and
4.
Show how the same method
could be used to support a bigger and more complex project.
There will be time for Q&A. We
also hope to be able to distribute some tasty samples, if we can overcome the
(probably) small technical problem of decomposing them into digital bits and
reassembling them into food at your computer. We have some people working on
this problem as I write, and I fully expect they’ll have a solution by Wednesday.
How hard can it be?
If you’d like to get a good
preview of Steve and Kate, they did a great webinar on the “Roots of
SBOM” recently, along with Chris Blask of Cybeats. The webinar was sponsored by
Cybeats.
The PoC meetings are open to
everybody, even if you’re not directly involved with the energy industry. You
don’t have to sign up for the webinar, but if you’d like to be on our mailing
list, drop an email to SBOMEnergyPOC@inl.gov.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer as co-leader
of the Energy SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment