Talk in English - UK at Incontro DevOps Italia 2023
                                                    
                            Track Name:
                                                            Sala 1
                                                                                    
                                                    
                                                        View Slides: https://fileadmin.cs.lth.se/cs/Personal/Lars_Bendix/Research/SBoM/IDI-Bologna-SBoM.pdf 
                                                                                                                                                                    
                        
                        Short URL: https://joind.in/talk/64d74
                        (QR-Code (opens in new window))
                    
Why should DevOps practitioners be interested in Software Bill of Materials (SBoM)? Firstly, being responsible for 'producing things' (binaries and executables) DevOps has immediate access, at the time when it is created, to the data that is needed for constructing an SBoM for a binary or executable, which makes it a lot easier and faster to construct and its data more consistent. Secondly, the use of an SBoM is not limited to searching for vulnerabilities. It has many other use cases that are very useful during the development and maintenance of a product. So DevOps will not only be 'producers' of SBoMs, but can also be very active 'consumers' of SBoMs in their daily work.
The American NTIA has worked hard to make SBoMs a legal requirement for delivering software to the American government - and other sectors may follow in the future. The NTIA has been very focused on cybersecurity and sees an SBoM as 'a list of ingredients used for vulnerability scan'. Even if this is an important use case, an SBoM is much more than just a list of ingredients and the range of use cases for an SBoM is much wider than a simple scan for vulnerabilities. The concept of SBoM also has a much longer and varied history than recent security incidents.
In this talk, we present and motivate a number of the 10 overarching use case categories (of which 'vulnerability scan' is only one) that we have distilled from an extensive literature study and numerous interviews with practitioners. Furthermore, we sketch the requirements that are needed for implementing a selected set of these use case categories. Finally, we list a number of general, cross-cutting considerations that you should take into account if you want the operation of SBoMs to be smooth and powerful. 
With this knowledge DevOps practitioners will be able to utilise and exploit the concept of SBoM to its full potential and provide better service and support for development teams and organisations.
Comments
Comments are closed.