PS
Uploaded byPavel Shukhman
27 views

Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To Find Product SBOM?

Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To Find Product SBOM? Talk by Pavel Shukhman

Download to read offline
Where to Find Product SBOM? *IANAL (Not a Legal Advice!)
My Previous Talks on TEA and This Slide Deck BSides Toronto Talk OWASP Deck This Deck
EU CRA Introduction, p.22 EU CRA Introduction, p.60 EU CRA Chapter II, Article 13, p.13
SBOM Management BOM 1. SBOMs created and stored as part of SDLC (CI/CD) 2. SBOMs mapped to releases 3. Trust point - authoritative domain name 4. Release identities for your releases
The SBOM Promise
1.0.0 1.0.1 1.1.0 Where Traditional SCA Breaks SCA is Done Somewhere Here
SCA is Done Somewhere Here With SBOM Generation Same with SBOM Repeat Every X Days
1.1.0 1.0.0
The only well established system exists for individual container images on OCI storage
Product - Component Data Model Apache Log4j Log4j v2.25.1 Product Product Release Log4j Core Component Log4j v2.25.0 Log4j API Log4j Core v2.25.1 Log4j Core v2.25.0 Log4j API v2.25.1 Log4j API v2.25.0 Component Release
Releases and Collections of Artifacts Release Source Code Level SBOM Container Level SBOM Collection v2 Source Code Level SBOM Collection v1
Most Accurate Data is Only Available Upstream
API is the Future of Transparency CycloneDX 2.0 Expected to Have API Version
for some TEA? If your SBOM management is CRA ready, it is TEA ready. More so, TEA may act as a framework for readiness towards other frameworks.
Transparency Exchange API API-first (TEA is an API) Decentralized TEI-based Discovery Product-Component Model Release-Collection Model CLE / EoX Insights
TEA Server Management 1. Self-Hosted 2. Managed by TEA Service Provider Domain Always Belongs to Self!
Discovery via TEI TEI Product Release urn:tei:<type>:<domain-name>:<unique-identifier> urn:tei:purl:cyclonedx.org:pkg:pypi/cyclonedx-python-lib@8.4.0 UUID PURL SWID HASH EAN/UPC UDI GTIN ASIN Known Types:
Demo TEA Flow - Apache Log4j2 urn:tei:purl:oolong-demo.rearmhq.com:pkg:maven/org.apache.logging.log4j/log4j-core@2.25.0 urn:tei:uuid:oolong-demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06 urn:tei:purl:oolong-demo.rearmhq.com:pkg:github/apache/logging-log4j2
Roadmap to Standard
Get Inovled and References https://github.com/CycloneDX/transparency-exchange-api/ https://cyclonedx.org/slack/invite https://cyclonedx.org/participate/contribute/ https://tc54.org/tea/ https://openssf.org/resources/improving-risk-management-decisions-with-sbom-data/ https://www.cisa.gov/sites/default/files/2025-09/joint-guidance-a-shared-vision-of- software-bill-of-materials-for-cybersecurity_508c.pdf https://github.com/relizaio/oolong https://www.youtube.com/watch?v=MjVQZxFENQI
Thank you! I’m Pavel Shukhman Startup Founder Building ReARM - Open Core xBOM tool TEA Contributor, participant of OpenSSF SBOM groups Avid Traveler *IANAL (Not a Legal Advice!)

More Related Content

PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PDF
From SBOMs to xBOMs to Transparency - Pavel Shukhman at OWASP Ottawa on 2025-...
byPavel Shukhman
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
byPavel Shukhman
 
PDF
OWASP Transparency Exchange API: How We (Will) Share xBOMs
byPavel Shukhman
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PPTX
Software Versioining: A Time Travel Problem in Software Engineering
byPavel Shukhman
 
PPTX
Securing SSH Access by Pavel Shukhman at OWASP Ottawa Meetup, August 2019
byPavel Shukhman
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
From SBOMs to xBOMs to Transparency - Pavel Shukhman at OWASP Ottawa on 2025-...
byPavel Shukhman
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
byPavel Shukhman
 
OWASP Transparency Exchange API: How We (Will) Share xBOMs
byPavel Shukhman
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Software Versioining: A Time Travel Problem in Software Engineering
byPavel Shukhman
 
Securing SSH Access by Pavel Shukhman at OWASP Ottawa Meetup, August 2019
byPavel Shukhman
 

Recently uploaded

PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PPTX
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
MathML Core in WebKit
byIgalia
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
MathML Core in WebKit
byIgalia
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 

Featured

PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
Introduction to Data Science
byChristy Abraham Joy
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Time Management & Productivity - Best Practices
byVit Horky
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
Getting into the tech field. what next
byTessa Mero
 
Skeleton Culture Code
bySkeleton Technologies
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
Introduction to Data Science
byChristy Abraham Joy
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Time Management & Productivity - Best Practices
byVit Horky
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 

Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To Find Product SBOM?

  • 1.
    Where to Find ProductSBOM? *IANAL (Not a Legal Advice!)
  • 2.
    My Previous Talkson TEA and This Slide Deck BSides Toronto Talk OWASP Deck This Deck
  • 3.
    EU CRA Introduction,p.22 EU CRA Introduction, p.60 EU CRA Chapter II, Article 13, p.13
  • 4.
    SBOM Management BOM 1.SBOMs created and stored as part of SDLC (CI/CD) 2. SBOMs mapped to releases 3. Trust point - authoritative domain name 4. Release identities for your releases
  • 5.
  • 6.
    1.0.0 1.0.1 1.1.0 WhereTraditional SCA Breaks SCA is Done Somewhere Here
  • 7.
    SCA is Done SomewhereHere With SBOM Generation Same with SBOM Repeat Every X Days
  • 8.
  • 9.
    The only wellestablished system exists for individual container images on OCI storage
  • 10.
    Product - ComponentData Model Apache Log4j Log4j v2.25.1 Product Product Release Log4j Core Component Log4j v2.25.0 Log4j API Log4j Core v2.25.1 Log4j Core v2.25.0 Log4j API v2.25.1 Log4j API v2.25.0 Component Release
  • 11.
    Releases and Collectionsof Artifacts Release Source Code Level SBOM Container Level SBOM Collection v2 Source Code Level SBOM Collection v1
  • 12.
    Most Accurate Datais Only Available Upstream
  • 13.
    API is theFuture of Transparency CycloneDX 2.0 Expected to Have API Version
  • 14.
    for some TEA? Ifyour SBOM management is CRA ready, it is TEA ready. More so, TEA may act as a framework for readiness towards other frameworks.
  • 15.
    Transparency Exchange API API-first(TEA is an API) Decentralized TEI-based Discovery Product-Component Model Release-Collection Model CLE / EoX Insights
  • 16.
    TEA Server Management 1.Self-Hosted 2. Managed by TEA Service Provider Domain Always Belongs to Self!
  • 17.
    Discovery via TEI TEI ProductRelease urn:tei:<type>:<domain-name>:<unique-identifier> urn:tei:purl:cyclonedx.org:pkg:pypi/[email protected] UUID PURL SWID HASH EAN/UPC UDI GTIN ASIN Known Types:
  • 19.
    Demo TEA Flow- Apache Log4j2 urn:tei:purl:oolong-demo.rearmhq.com:pkg:maven/org.apache.logging.log4j/[email protected] urn:tei:uuid:oolong-demo.rearmhq.com:ff08fa6a-1df9-4ab7-b3ec-e02837845a06 urn:tei:purl:oolong-demo.rearmhq.com:pkg:github/apache/logging-log4j2
  • 20.
  • 21.
    Get Inovled andReferences https://github.com/CycloneDX/transparency-exchange-api/ https://cyclonedx.org/slack/invite https://cyclonedx.org/participate/contribute/ https://tc54.org/tea/ https://openssf.org/resources/improving-risk-management-decisions-with-sbom-data/ https://www.cisa.gov/sites/default/files/2025-09/joint-guidance-a-shared-vision-of- software-bill-of-materials-for-cybersecurity_508c.pdf https://github.com/relizaio/oolong https://www.youtube.com/watch?v=MjVQZxFENQI
  • 22.
    Thank you! I’mPavel Shukhman Startup Founder Building ReARM - Open Core xBOM tool TEA Contributor, participant of OpenSSF SBOM groups Avid Traveler *IANAL (Not a Legal Advice!)