logo
allArticlesConferencesPresentations

Securing Diverse Supply Chains Across Interconnected Systems

Conference:  Cloud Native SecurityCon North America 2023

Authors:   Wayne Starr, Aaron Creel

Summary

SpaceX is using Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines to secure diverse supply chains across interconnected systems.
  • SpaceX is launching a rocket a week and putting thousands of satellites into space, which requires a secure software development process
  • The government process is slow and manual, so SpaceX is bridging the gap by implementing an automated process
  • SpaceX is using Syft, Grype, and OWASP Dependency Check as SBOM and vulnerability discovery tools to reduce the cycle time for developers to respond to potential vulnerabilities
  • The integration of these tools has allowed SpaceX to more efficiently prioritize how developers work across projects
SpaceX had a problem with a complex binary that builds from a couple of different projects internally and then gets built itself into a container. The binary has a lot of dependencies, making it difficult to determine the full scope of software, libraries, and tooling contained within a diverse set of components. SpaceX solved this problem by implementing an automated process using Syft, Grype, and OWASP Dependency Check as SBOM and vulnerability discovery tools integrated into their software development process and continuous integration pipelines.

Abstract

Working within large software systems can make it difficult to determine the full scope of software, libraries and tooling contained within a diverse set of components, often maintained across separate teams and departments. Security teams must become familiar with a wide range of packaging technologies and practices, and often manually aggregate information to make determinations on where vulnerabilities may be present and how to mitigate them. In this talk, we will share how SpaceX is solving this through a layered application of Syft, Grype, and OWASP Dependency Check as Software Bill of Materials (SBOM) and vulnerability discovery tools integrated into their software development process and continuous integration pipelines. This integration has allowed them to reduce the cycle time for developers to respond to potential vulnerabilities, and allowed them to more efficiently prioritize how developers work across projects.
Materials:
Tags:

Post a comment

Related work

Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar

Conference:  Cloud Native SecurityCon North America 2023
Authors: Jerod Heck, Ian Dunbar-Hall

What Shall We Do With a Vendor SBOM?

Conference:  OWASP 20th Anniversary Event
Authors: Wendy Nather
2021-09-24

We Built the Kubernetes SBOM and Now You Can Write Your Own!

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Adolfo García Veytia
2021-10-15

Back to the Drawing Board: Building Containers with SBoMs

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Nisha Kumar
2021-10-13

SBOM X-Ray Superpowers: Making Better SBOMs, Using SBOMs

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Brandon Lum, Chris Phillips
2022-10-26

Keynote: The Next Steps in Software Supply Chain Security

Conference:  Cloud Native SecurityCon North America 2023
Authors: Brandon Lum