Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar

The presentation discusses the use of a pipeline for validating attestations and dependencies in DevOps and cybersecurity. It emphasizes the importance of a single data flow and security team for multiple teams to ensure efficient and secure processes.

• Validation of attestations and dependencies in DevOps and cybersecurity is done through a pipeline with no manual interaction.
• Dependencies between teams and a security team are important to consider in a tree structure.
• Out of state CV reports with Hopper Cup and out of station creation with a layout file are useful tools for verification.
• The use of Gitpod and QR codes allows for easy access and testing of the pipeline.
• Manifests and S-bombs are used to define where to pull dependencies from and to augment and filter S-bombs.
• Plugins are used to collect and process S-bombs and to add metadata for security approval.
• The primary goal is to have a single data flow and security team for multiple teams to ensure efficient and secure processes.

The presenter discussed the importance of having a clear and defined process for gathering and verifying dependencies in DevOps and cybersecurity. They shared a story of a previous project where a team member had unknowingly used a vulnerable package, causing a security breach. This incident highlighted the need for a streamlined and secure process for managing dependencies.

Software Bill of Materials are being touted for tracking software build dependencies and security of a built application. Often delivered with built applications for transparency. In this talk we’ll explore a different use for Software Bill of Materials, where it is used as a packaging standard to validate and transfer assets across network boundaries. At Lockheed Martin, we’re using CycloneDX Specification to automate transfers into secure environments with strict controls to allow development teams to update build dependencies without network connectivity. We also use the CycloneDX Specification to create “seeding” deployments for Cloud Native infrastructure deployments. We’ll be demoing Hoppr, an open source tool with an extendable plugin architecture to do security validation and multi team transfers. It used CycloneDX SBOMs to collect items based on purls, run validation, and create transfers to be brought into these environments.