Saturday, September 18, 2021

What’s cooking at the Energy SBOM Proof of Concept?

The Energy SBOM Proof of Concept – sponsored by the Department of Energy and the National Technology and Information Administration – is entering a new education phase. Due to popular demand, we decided to provide an in-depth look at what goes into SBOMs – i.e. what are the ingredients in the software bill of materials cake, anyway?

In fact, we got so carried away with the cooking metaphor that we’re going to have a series of online “cooking classes”, at which noted SBOM “chefs” will demonstrate how they combine the elements of SBOMs and VEXes, as well as other ingredients, to produce software transparency. Truth be told, this is the ultimate goal of the NTIA software component transparency initiative, of which the energy PoC (and the contemporaneous healthcare and autos PoCs) is one part.

The first cooking class is next Wednesday, September 22 at noon ET. Julia Child being unavailable, we were quite happy to engage Steve Springett, who is co-leader of the OWASP group that develops and supports CycloneDX, one of the three major SBOM formats. Steve is also the initiator of the dependency-track “continuous component analysis platform” (which has been in operation since 2012 and has gained a wide following in its own right). In a few words, dependency track lets you upload SBOMs for the software your organization runs and track vulnerabilities found in components of that software. All for free, of course.

Here’s the webinar information (no registration is required):

Microsoft Teams meeting

Join on your computer or mobile app

Click here to join the meeting

Or call in (audio only)

+1 208-901-7635,,877158748#   United States, Boise

Phone Conference ID: 877 158 748#

Find a local number | Reset PIN

Learn More | Meeting options 

At the following biweekly meeting on October 6, we’re pleased to have Kate Stewart, VP of Dependable Embedded Systems (how’s that for a title?) of the Linux Foundation. Kate has been the leader of the team that developed – and continues to enhance and support - the SPDX format, which started 11 years ago. Two weeks ago, SPDX was “recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.” Quite an achievement!

Both Steve and Kate will do roughly the following, using a “basic” open source project from an OSS repository like GitHub:

1.      If possible, share the URL for the project with our mailing list in advance;

2.      Walk through how to build an SBOM (in CycloneDX or SPDX format, respectively) based on that project – with a lot of emphasis on explanation;

3.      Discuss basic use cases for the SBOM; and

4.      Show how the same method could be used to support a bigger and more complex project.

There will be time for Q&A. We also hope to be able to distribute some tasty samples, if we can overcome the (probably) small technical problem of decomposing them into digital bits and reassembling them into food at your computer. We have some people working on this problem as I write, and I fully expect they’ll have a solution by Wednesday. How hard can it be?

If you’d like to get a good preview of Steve and Kate, they did a great webinar on the “Roots of SBOM” recently, along with Chris Blask of Cybeats. The webinar was sponsored by Cybeats.

The PoC meetings are open to everybody, even if you’re not directly involved with the energy industry. You don’t have to sign up for the webinar, but if you’d like to be on our mailing list, drop an email to SBOMEnergyPOC@inl.gov.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment