Anchore , profile picture
Uploaded byAnchore
337 views

Understanding SBOMs: An Introduction to Modern Development

The document provides an introduction to Software Bill of Materials (SBOMs), covering their definitions, standards, generation tools, and integration into development workflows. It emphasizes the importance of SBOMs for regulatory compliance, vulnerability management, and informed software procurement. Additionally, practical examples illustrate how SBOMs can aid in identifying software components and dependencies, alongside discussions on best practices and tools for generation.

Understanding SBOMs 1 An Intro to Modern Development
Housekeeping 2 01 02 03 All participant lines are muted Questions will be accepted throughout, enter questions via Q&A panel You will receive a follow-up email with a link to the recording 04 Please respond to poll questions as they are appear on your screen
Introductions 3 Josh Bressers VP of Security Alan Pope Director of Developer Relations Chris Phillips Senior Software Engineer
Today’s Topics 4 01 02 03 Defining SBOM standards and formats Best practices for generating and automating SBOMs Integrating SBOMs into existing infrastructure and workflows 04 Practical tips for protecting against emerging supply chain threats
Anchore Overview Select Public Sector Customers Select Enterprise Customers ● Founded in 2016 in California by ex-Ansible / Red Hat / Eucalyptus Founders ● Creators of Syft and Grype with tens of million downloads ● Anchore Enterprise deployed in the DOD and the largest technology vendors in the world since 2018 5
Software Bill of Materials 6 What an SBOM is, and why it matters
Bill of Materials (BOM) 7 A hardware BOM from a RepRap 3d Printer Hot end. ● Lists physical parts ● Includes quantities, part numbers ● Essential for production planning, inventory management, assembly https://reprap.org/wiki/RepRap
Software Bill of Materials (SBOM) 8 A small section from an SBOM. ● Machine and ~human readable file ● Lists all components and dependencies in your software. ● Industry-standard formats include SPDX, CycloneDX, and SWID for sharing SBOMs.
SBOM Generation Rationale ● Meet US and EU regulatory requirements ■ White House Executive Order (EO 14028) ■ EU Cyber Resilience Act ● Identify vulnerable components ■ E.g. Log4J ● Track licenses usage and legal compliance ● Make informed software procurement decisions ● Speed up incident response 9
SBOM Generation 10 Where SBOMs come from, and common standards
SBOM Formats - SPDX 11 ● ISO-standard format maintained by the Linux Foundation to document software components ● Tracks licenses, copyrights, and security details for each component in your software ● Strong industry adoption across major tech companies https://spdx.dev - The Linux Foundation's official SPDX site
SBOM Formats - CycloneDX 12 ● Created by OWASP specifically for security and supply chain analysis ● Excels at tracking both direct and indirect dependencies ● Includes support for containers, cloud services, and modern development needs https://cyclonedx.org/ - OWASP's official specification site
SBOM Generation tools 13 ● SPDX-Tools: Official Linux Foundation tool for generating SPDX SBOMs ● cdxgen: OWASP's native tool for creating CycloneDX SBOMs from software projects ● Syft: Anchore's universal SBOM generator, supporting multiple formats and container images. Integrated into Grype, Anchore’s vulnerability scanner. ● Microsoft SBOM Tool: Cross-platform tool supporting both SPDX and CycloneDX formats ● Tern: VMware's container-focused SBOM generator with support for multiple formats. ● Plus many ecosystem & language specific SBOM generators
Getting Started with Syft - DEMO 14 # Install Syft (varies by platform) # See: https://github.com/anchore/syft#installation curl -sSfL https:-/raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin # Generate human-readable SBOM from a small container published in docker hub syft alpine:latest # Generate SPDX SBOM, and write to a file and the console via jq syft alpine:latest -o spdx-json=alpine_latest_spdx.json -o spdx-json | jq . # Generate CycloneDX SBOM, and write to a file and the console via jq # /! Note: an older Alpine release syft alpine:3.10 -o cyclonedx-json=alpine_310_cyclonedx.json -o cyclonedx-json | jq . # Generate human-readable SBOM from a substantial container published in docker hub # /! ~420MB container download! # Takes >10s to run syft nextcloud:latest
Getting Started with Grype - DEMO 15 # Install Grype (varies by platform) # See: https://github.com/anchore/grype#installation curl -sSfL https:-/raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # Generate human-readable vulnerability report from a small older container published in # docker hub. This will internally generate a new SBOM. grype alpine:3.10 # Analyze already-created SPDX SBOM for vulnerabilities (there will likely be none) grype alpine_latest_spdx.json # Analyze CycloneDX SBOM and output results in json format via jq grype alpine_310_cyclonedx.json -o json | jq . # Generate SBOM in Syft’s internal JSON format from a substantial container # published in docker hub. # Feed that SBOM to grype syft nextcloud:latest -o syft-json | grype
Syft Ecosystem Coverage 16 Alpine (apk) C (conan) C++ (conan) Dart (pubs) Debian (dpkg) Dotnet (deps.json) Objective-C (cocoapods) Elixir (mix) Erlang (rebar3) Go (go.mod, Go binaries) Haskell (cabal, stack) Java (jar, ear, war, par, sar, nar, native-image) JavaScript (npm, yarn) Jenkins Plugins (jpi, hpi) Linux kernel archives (vmlinuz) Linux kernel a (ko) Nix (outputs in /nix/store) PHP (composer) Python (wheel, egg, poetry, requirements.txt) Red Hat (rpm) Ruby (gem) Rust (cargo.lock) Swift (cocoapods, swift-package-manager) Wordpress plugins
SBOMs in Developer Workflows 17 Where SBOMs fit in Software Development
The Problem 18 Declared Dependencies Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Software Supplier Open Source Open Source Open Source Software Supplier Open Source Open Source Custom Code Transitive Dependencies Transitive Dependencies Transitive Dependencies Transitive Dependencies Transitive Dependencies Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Declared Dependencies Declared Dependencies Software Supply Chain Your Application Software complexity is increasing and makes it hard to know what is in your environment. How do you find the next Log4j? Code Build Runtime ? ? ? ? ? ! ! ! ! !
SBOM Automation 19
Anchore Enterprise 20
Practical Examples 21 SBOM Generation, Integration and benefits
Practical examples 22 Pull Image for analysis Table view shows list of installed packages found per ecosystem
Practical examples 23 JSON view can show packages with their associated filesystem locations. This helps vulnerability scanners pinpoint locations of vulnerable packages.
Practical examples 24 An SBOM can also come with a list of cpe, a PURL (Package URL), and ecosystem specific metadata as well as dependencies. These fields can help provide users identifiers that link their software dependencies across other data sets. These data sets are things like vulnerability data, compliance/license information, or internal build data that pinpoints when and where a dependency was added.
Practical examples 25 While SBOM are not perfect solutions, they can answer questions quickly like: “Find all files in my container that were classified as an ‘executable’”. The picture on the right is an example where the syft json output filtered for files with the `executable` field showing ELF formatted files, their imported libraries, and the security features associated with the binary.
Practical examples 26 The previous example can go even a step further to find all executables the might be missing a certain security feature a user is looking for in a compliant image. The photo on the right filters to find all executables in the image that do not have stack canaries set to true. Stack canaries or security cookies are tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. If an incorrect canary is detected during certain stages of the execution flow, such as right before a return (RET), the program will be terminated. Their presence makes exploitation of such vulnerabilities more difficult.
Practical examples 27 SBOMs can also take a “negative” of an image and provide a user a report of things that were not cataloged or found to be a part of any structure/ecosystem. The photos on the right shows and example where we ask the output: “What archives, executables, and other artifacts came back not associated with elements or packages in the final document?”
Q&A 28
Summary 29 01 02 03 Industry standards in SBOM creation The importance of accurate tools, generating high quality SBOMs How SBOM generation is integrated into the development workflow 04 Practical reproducible examples
Next Steps 30 Sign up for SBOM Webinar #2 - Deep dive with Kate Stewart https://tinyurl.com/sbom-2 Learn more about Anchore Enterprise https://anchore.com/platform Visit our GitHub and Discourse github.com/anchore and anchore.com/discourse Learn how Google manage SBOMs at scale https://tinyurl.com/sboms-google
© 2024 sales@anchore.com anchore.com Thank you!

More Related Content

PPTX
Docker Security workshop slides
byDocker, Inc.
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
PPT
Intro to linux
byRavi Prakash Giri
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
Advanced mainframe hacking
byPhilip Young
 
PPTX
Introduction to DevOps. Continuous Integration by Myroslav Dmytrus
byBinary Studio
 
PDF
Introduction to Linux Privilege Escalation Methods
byBishop Fox
 
PDF
Workshop on CIFS / SMB Protocol Performance Analysis
byPerformanceVision (previously SecurActive)
 
Docker Security workshop slides
byDocker, Inc.
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
Intro to linux
byRavi Prakash Giri
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
Advanced mainframe hacking
byPhilip Young
 
Introduction to DevOps. Continuous Integration by Myroslav Dmytrus
byBinary Studio
 
Introduction to Linux Privilege Escalation Methods
byBishop Fox
 
Workshop on CIFS / SMB Protocol Performance Analysis
byPerformanceVision (previously SecurActive)
 

What's hot

PPTX
CI/CD
byAmitDhodi
 
PPTX
Pipeline de Integración continua
byVanesa Fernandez Membrillera
 
PDF
Linux İşletim Sistemi
byMurat KARA
 
PDF
Yocto Project : Custom Embedded Linux Distribution
byemertxemarketing
 
PPTX
Continuous Delivery with Jenkins
byJadson Santos
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
Advanced GitHub Enterprise Administration
byLars Schneider
 
PPT
Linux command ppt
bykalyanineve
 
PPTX
Linux
byRittikaBaksi
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
byDenim Group
 
PDF
The IoT Attack Surface
byDaniel Miessler
 
PPTX
Introduction to OpenFlow, SDN and NFV
byKingston Smiler
 
PPTX
Git and git workflow best practice
byMajid Hosseini
 
PPTX
Server hardening
byTeja Babu
 
PPTX
Union FileSystem - A Building Blocks Of a Container
byKnoldus Inc.
 
PDF
Netcat 101 by-mahesh-beema
byRaghunath G
 
PDF
Threat Modeling Basics with Examples
bySanjeev Kumar Jaiswal
 
PDF
netfilter and iptables
byKernel TLV
 
PPTX
Hacker tooltalk: Social Engineering Toolkit (SET)
byChris Hammond-Thrasher
 
PPTX
N map presentation
byulirraptor
 
CI/CD
byAmitDhodi
 
Pipeline de Integración continua
byVanesa Fernandez Membrillera
 
Linux İşletim Sistemi
byMurat KARA
 
Yocto Project : Custom Embedded Linux Distribution
byemertxemarketing
 
Continuous Delivery with Jenkins
byJadson Santos
 
DevSecOps
byJoel Divekar
 
Advanced GitHub Enterprise Administration
byLars Schneider
 
Linux command ppt
bykalyanineve
 
Linux
byRittikaBaksi
 
A New View of Your Application Security Program with Snyk and ThreadFix
byDenim Group
 
The IoT Attack Surface
byDaniel Miessler
 
Introduction to OpenFlow, SDN and NFV
byKingston Smiler
 
Git and git workflow best practice
byMajid Hosseini
 
Server hardening
byTeja Babu
 
Union FileSystem - A Building Blocks Of a Container
byKnoldus Inc.
 
Netcat 101 by-mahesh-beema
byRaghunath G
 
Threat Modeling Basics with Examples
bySanjeev Kumar Jaiswal
 
netfilter and iptables
byKernel TLV
 
Hacker tooltalk: Social Engineering Toolkit (SET)
byChris Hammond-Thrasher
 
N map presentation
byulirraptor
 

Similar to Understanding SBOMs: An Introduction to Modern Development

PDF
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
byICS
 
PDF
Security: The Value of SBOMs
byWeaveworks
 
PDF
How SBOMs Protect Google's Massive Software Supply Chain
byAnchore
 
PDF
Understanding SBOMs - Deep Dive with Kate Stewart.pdf
byAnchore
 
PPTX
Generating SBOMS FROM FOSS_(Detecting OSS licences)
byThierry Gayet
 
PDF
Software Bill of Materials (SBOM): what you as a developer need to know by Kr...
byDevClub_lv
 
PPTX
OpenChain Webinar #50 - An Overview of SPDX 3.0
byShane Coughlan
 
PDF
Understanding SBOMs: How to Automate, Generate & Manager SBOMs
byAnchore
 
PDF
SBOM, Is It 42?
byBill Bensing
 
PDF
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
bysparkfabrik
 
PPTX
OpenChain Webinar - Implementing OpenChain ISO/IEC 5230 at endjin + Further R...
byShane Coughlan
 
PDF
Industry Insights Common Pitfalls and Key Considerations in Using Software Bi...
bySZ Lin
 
PDF
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
byAnchore
 
PPTX
SBOMming up the pieces.pptx
byKaushal Parikh
 
PDF
Webinar: How to Identify and Tackle SBOM Sprawl
byAnchore
 
PDF
Software+Bill+of+Materials+Starter+Guide (1).pdf
bykedofef453
 
PPTX
API Days October Bangalore Presentation 2025
byteamrapifuzz
 
PDF
(English) XSCAN 브로슈어_Redpensfot 엑스스캔.pdf
byredpensoft
 
PDF
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
bysparkfabrik
 
PDF
Implementing OpenChain ISO/IEC 5230 at endjin
byHowardvanRooijen1
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
byICS
 
Security: The Value of SBOMs
byWeaveworks
 
How SBOMs Protect Google's Massive Software Supply Chain
byAnchore
 
Understanding SBOMs - Deep Dive with Kate Stewart.pdf
byAnchore
 
Generating SBOMS FROM FOSS_(Detecting OSS licences)
byThierry Gayet
 
Software Bill of Materials (SBOM): what you as a developer need to know by Kr...
byDevClub_lv
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
byShane Coughlan
 
Understanding SBOMs: How to Automate, Generate & Manager SBOMs
byAnchore
 
SBOM, Is It 42?
byBill Bensing
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
bysparkfabrik
 
OpenChain Webinar - Implementing OpenChain ISO/IEC 5230 at endjin + Further R...
byShane Coughlan
 
Industry Insights Common Pitfalls and Key Considerations in Using Software Bi...
bySZ Lin
 
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
byAnchore
 
SBOMming up the pieces.pptx
byKaushal Parikh
 
Webinar: How to Identify and Tackle SBOM Sprawl
byAnchore
 
Software+Bill+of+Materials+Starter+Guide (1).pdf
bykedofef453
 
API Days October Bangalore Presentation 2025
byteamrapifuzz
 
(English) XSCAN 브로슈어_Redpensfot 엑스스캔.pdf
byredpensoft
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
bysparkfabrik
 
Implementing OpenChain ISO/IEC 5230 at endjin
byHowardvanRooijen1
 

More from Anchore

PDF
How the US Navy Approaches DevSecOps with Raise 2.0
byAnchore
 
PDF
Shift Right Security for EKS Webinar Slides
byAnchore
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
byAnchore
 
PDF
Adopting the DoD Software Factory Model: Insights & How Tos
byAnchore
 
PDF
Streamline Vulnerability Management From Minimal Images to SBOMs
byAnchore
 
PDF
Packages, Policies, and Performance: What's New in Grant
byAnchore
 
PDF
How to Secure Your Kubernetes Software Supply Chain at Scale
byAnchore
 
PDF
Software Security in the Real World w/Kelsey Hightower
byAnchore
 
PDF
Increase Supply Chain Transparency & Security with Harbor & Anchore
byAnchore
 
PDF
Easy Compliance is Continuous Compliance
byAnchore
 
PDF
Release Webinar: Introducing the Anchore Data Service
byAnchore
 
PDF
Accelerate FedRAMP Compliance on Amazon EKS with Anchore
byAnchore
 
PDF
Expert Series: Solving Real-World Challenges in FedRAMP Compliance
byAnchore
 
PDF
Rapid Incident Response to Zero Day Vulnerabilities
byAnchore
 
PDF
Automated Policy Enforcement for CMMC with Anchore Enterprise
byAnchore
 
PDF
Establishing Continuous Compliance with Anchore & Chainguard
byAnchore
 
PDF
STIG 101 with MITRE & Anchore: Insights for Compliance & Cyber Readiness
byAnchore
 
PDF
Adapting to the new normal at NVD with Anchore Vulnerability Feed
byAnchore
 
PDF
2024 Trends in Software Supply Chain Security
byAnchore
 
PDF
STIG in Action: Continuous Compliance with MITRE & Anchore
byAnchore
 
How the US Navy Approaches DevSecOps with Raise 2.0
byAnchore
 
Shift Right Security for EKS Webinar Slides
byAnchore
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
byAnchore
 
Adopting the DoD Software Factory Model: Insights & How Tos
byAnchore
 
Streamline Vulnerability Management From Minimal Images to SBOMs
byAnchore
 
Packages, Policies, and Performance: What's New in Grant
byAnchore
 
How to Secure Your Kubernetes Software Supply Chain at Scale
byAnchore
 
Software Security in the Real World w/Kelsey Hightower
byAnchore
 
Increase Supply Chain Transparency & Security with Harbor & Anchore
byAnchore
 
Easy Compliance is Continuous Compliance
byAnchore
 
Release Webinar: Introducing the Anchore Data Service
byAnchore
 
Accelerate FedRAMP Compliance on Amazon EKS with Anchore
byAnchore
 
Expert Series: Solving Real-World Challenges in FedRAMP Compliance
byAnchore
 
Rapid Incident Response to Zero Day Vulnerabilities
byAnchore
 
Automated Policy Enforcement for CMMC with Anchore Enterprise
byAnchore
 
Establishing Continuous Compliance with Anchore & Chainguard
byAnchore
 
STIG 101 with MITRE & Anchore: Insights for Compliance & Cyber Readiness
byAnchore
 
Adapting to the new normal at NVD with Anchore Vulnerability Feed
byAnchore
 
2024 Trends in Software Supply Chain Security
byAnchore
 
STIG in Action: Continuous Compliance with MITRE & Anchore
byAnchore
 

Recently uploaded

PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PPTX
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
WebXR in Android and Linux with OpenXR
byIgalia
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
AWS re:Invent 2025 Event Presentation Slides
byZilliz
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
MathML Core in WebKit
byIgalia
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 

Understanding SBOMs: An Introduction to Modern Development

  • 1.
  • 2.
    Housekeeping 2 01 02 03 All participantlines are muted Questions will be accepted throughout, enter questions via Q&A panel You will receive a follow-up email with a link to the recording 04 Please respond to poll questions as they are appear on your screen
  • 3.
    Introductions 3 Josh Bressers VP ofSecurity Alan Pope Director of Developer Relations Chris Phillips Senior Software Engineer
  • 4.
    Today’s Topics 4 01 02 03 DefiningSBOM standards and formats Best practices for generating and automating SBOMs Integrating SBOMs into existing infrastructure and workflows 04 Practical tips for protecting against emerging supply chain threats
  • 5.
    Anchore Overview Select PublicSector Customers Select Enterprise Customers ● Founded in 2016 in California by ex-Ansible / Red Hat / Eucalyptus Founders ● Creators of Syft and Grype with tens of million downloads ● Anchore Enterprise deployed in the DOD and the largest technology vendors in the world since 2018 5
  • 6.
    Software Bill of Materials 6 Whatan SBOM is, and why it matters
  • 7.
    Bill of Materials(BOM) 7 A hardware BOM from a RepRap 3d Printer Hot end. ● Lists physical parts ● Includes quantities, part numbers ● Essential for production planning, inventory management, assembly https://reprap.org/wiki/RepRap
  • 8.
    Software Bill ofMaterials (SBOM) 8 A small section from an SBOM. ● Machine and ~human readable file ● Lists all components and dependencies in your software. ● Industry-standard formats include SPDX, CycloneDX, and SWID for sharing SBOMs.
  • 9.
    SBOM Generation Rationale ●Meet US and EU regulatory requirements ■ White House Executive Order (EO 14028) ■ EU Cyber Resilience Act ● Identify vulnerable components ■ E.g. Log4J ● Track licenses usage and legal compliance ● Make informed software procurement decisions ● Speed up incident response 9
  • 10.
    SBOM Generation 10 Where SBOMscome from, and common standards
  • 11.
    SBOM Formats -SPDX 11 ● ISO-standard format maintained by the Linux Foundation to document software components ● Tracks licenses, copyrights, and security details for each component in your software ● Strong industry adoption across major tech companies https://spdx.dev - The Linux Foundation's official SPDX site
  • 12.
    SBOM Formats -CycloneDX 12 ● Created by OWASP specifically for security and supply chain analysis ● Excels at tracking both direct and indirect dependencies ● Includes support for containers, cloud services, and modern development needs https://cyclonedx.org/ - OWASP's official specification site
  • 13.
    SBOM Generation tools13 ● SPDX-Tools: Official Linux Foundation tool for generating SPDX SBOMs ● cdxgen: OWASP's native tool for creating CycloneDX SBOMs from software projects ● Syft: Anchore's universal SBOM generator, supporting multiple formats and container images. Integrated into Grype, Anchore’s vulnerability scanner. ● Microsoft SBOM Tool: Cross-platform tool supporting both SPDX and CycloneDX formats ● Tern: VMware's container-focused SBOM generator with support for multiple formats. ● Plus many ecosystem & language specific SBOM generators
  • 14.
    Getting Started withSyft - DEMO 14 # Install Syft (varies by platform) # See: https://github.com/anchore/syft#installation curl -sSfL https:-/raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin # Generate human-readable SBOM from a small container published in docker hub syft alpine:latest # Generate SPDX SBOM, and write to a file and the console via jq syft alpine:latest -o spdx-json=alpine_latest_spdx.json -o spdx-json | jq . # Generate CycloneDX SBOM, and write to a file and the console via jq # /! Note: an older Alpine release syft alpine:3.10 -o cyclonedx-json=alpine_310_cyclonedx.json -o cyclonedx-json | jq . # Generate human-readable SBOM from a substantial container published in docker hub # /! ~420MB container download! # Takes >10s to run syft nextcloud:latest
  • 15.
    Getting Started withGrype - DEMO 15 # Install Grype (varies by platform) # See: https://github.com/anchore/grype#installation curl -sSfL https:-/raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # Generate human-readable vulnerability report from a small older container published in # docker hub. This will internally generate a new SBOM. grype alpine:3.10 # Analyze already-created SPDX SBOM for vulnerabilities (there will likely be none) grype alpine_latest_spdx.json # Analyze CycloneDX SBOM and output results in json format via jq grype alpine_310_cyclonedx.json -o json | jq . # Generate SBOM in Syft’s internal JSON format from a substantial container # published in docker hub. # Feed that SBOM to grype syft nextcloud:latest -o syft-json | grype
  • 16.
    Syft Ecosystem Coverage16 Alpine (apk) C (conan) C++ (conan) Dart (pubs) Debian (dpkg) Dotnet (deps.json) Objective-C (cocoapods) Elixir (mix) Erlang (rebar3) Go (go.mod, Go binaries) Haskell (cabal, stack) Java (jar, ear, war, par, sar, nar, native-image) JavaScript (npm, yarn) Jenkins Plugins (jpi, hpi) Linux kernel archives (vmlinuz) Linux kernel a (ko) Nix (outputs in /nix/store) PHP (composer) Python (wheel, egg, poetry, requirements.txt) Red Hat (rpm) Ruby (gem) Rust (cargo.lock) Swift (cocoapods, swift-package-manager) Wordpress plugins
  • 17.
    SBOMs in Developer Workflows 17 WhereSBOMs fit in Software Development
  • 18.
    The Problem 18 Declared Dependencies OpenSource Open Source Open Source Open Source Open Source Open Source Open Source Open Source Software Supplier Open Source Open Source Open Source Software Supplier Open Source Open Source Custom Code Transitive Dependencies Transitive Dependencies Transitive Dependencies Transitive Dependencies Transitive Dependencies Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Declared Dependencies Declared Dependencies Software Supply Chain Your Application Software complexity is increasing and makes it hard to know what is in your environment. How do you find the next Log4j? Code Build Runtime ? ? ? ? ? ! ! ! ! !
  • 19.
  • 20.
  • 21.
  • 22.
    Practical examples 22 PullImage for analysis Table view shows list of installed packages found per ecosystem
  • 23.
    Practical examples 23 JSONview can show packages with their associated filesystem locations. This helps vulnerability scanners pinpoint locations of vulnerable packages.
  • 24.
    Practical examples 24 AnSBOM can also come with a list of cpe, a PURL (Package URL), and ecosystem specific metadata as well as dependencies. These fields can help provide users identifiers that link their software dependencies across other data sets. These data sets are things like vulnerability data, compliance/license information, or internal build data that pinpoints when and where a dependency was added.
  • 25.
    Practical examples 25 WhileSBOM are not perfect solutions, they can answer questions quickly like: “Find all files in my container that were classified as an ‘executable’”. The picture on the right is an example where the syft json output filtered for files with the `executable` field showing ELF formatted files, their imported libraries, and the security features associated with the binary.
  • 26.
    Practical examples 26 Theprevious example can go even a step further to find all executables the might be missing a certain security feature a user is looking for in a compliant image. The photo on the right filters to find all executables in the image that do not have stack canaries set to true. Stack canaries or security cookies are tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. If an incorrect canary is detected during certain stages of the execution flow, such as right before a return (RET), the program will be terminated. Their presence makes exploitation of such vulnerabilities more difficult.
  • 27.
    Practical examples 27 SBOMscan also take a “negative” of an image and provide a user a report of things that were not cataloged or found to be a part of any structure/ecosystem. The photos on the right shows and example where we ask the output: “What archives, executables, and other artifacts came back not associated with elements or packages in the final document?”
  • 28.
  • 29.
    Summary 29 01 02 03 Industry standardsin SBOM creation The importance of accurate tools, generating high quality SBOMs How SBOM generation is integrated into the development workflow 04 Practical reproducible examples
  • 30.
    Next Steps 30 Signup for SBOM Webinar #2 - Deep dive with Kate Stewart https://tinyurl.com/sbom-2 Learn more about Anchore Enterprise https://anchore.com/platform Visit our GitHub and Discourse github.com/anchore and anchore.com/discourse Learn how Google manage SBOMs at scale https://tinyurl.com/sboms-google
  • 31.