OmniBOR: Bringing the Receipts for Supply Chain Security

Conference: Cloud Native SecurityCon North America 2023

Authors: Frederick Kautz

Summary

Omnibor is a new way to capture the full artifact dependency graph of software as an output of build tools themselves, simplifying the software supply chain and improving security.

Omnibor was developed in response to the Colonial Pipeline hack and the Cyber Security executive order put out by the Biden Administration.
Omnibor captures the full artifact dependency graph of software as an output of build tools themselves, simplifying the software supply chain and improving security.
Ava Black spoke with various people and found issues with how S-BOMs were done, leading to the development of Omnibor.
Simplicity is key in software supply chain security, and Omnibor aims to simplify the problem by changing perspectives and focusing on identity, dependency, and metadata.
Omnibor has had good outreach and interest since its launch in February 2020.

Ava Black went around and spoke with various people over a cup of tea or coffee and found issues with how S-BOMs were done. The reality is that in the short small scale it looked okay but in the large scale when you actually start to scale it out, it actually looked a little bit more like trying to trace where everything was. The general response to that was horror or frustration or a mixture of both.

Abstract

Supply Chain requirements got you down? Getting an endless array of false positives from you ‘SBOM scanners’ ? Spending more of your time proving you don’t have a ‘false positive’ from your scanners than fixing real vulnerabilities in your code? There has to be a better way. There is. Come hear from Aeva and Ed about a new way to capture the full artifact dependency graph of your software, not as a ‘scan’ after the fact, but as an output of your build tools themselves. Find out when this feature is coming to a build tool near you.

Materials:

Tags: