So, SBOMs Matter…Now What? - Sophie Wigmore & Frankie Gallina

The importance of generating Software Bill of Materials (S-BOMs) for containerized applications and the need for multiple snapshots throughout development to detect potential tampering, new versions, or changes in dependencies.

• S-BOMs for containerized applications can detect unexpected changes in the contents of a software application which can indicate potential tampering, new versions, or changes in dependencies.
• Generating an S-BOM creates a snapshot of the components of a container at a specific time during the development process.
• Multiple snapshots throughout development are necessary to detect any changes that may introduce new risks.
• S-BOMs should be stored alongside the image it was generated for and published to a registry.
• The question of when to generate S-BOMs is important to consider as it can affect the detection of potential risks.

The speaker used a food analogy to explain the importance of detecting potential risks in containerized applications. Just like how a person with a peanut allergy would care about the peanuts in the food they are eating, developers should care about the raw materials and preparation process of their containerized applications. A contaminant can be introduced in the preparation process itself, which can be detected through multiple snapshots of S-BOMs throughout development.

Lately, the main conversation in the software bill of materials space has largely been around why you need a SBOM to solve your security concerns, and what it can add to your secure software supply chain. At this point, community buy-in is strong, but critical questions remain undecided: How is this technology best employed in a Kubernetes setting? Which of the options in this space is right for each use case? In an emerging space within the cloud native community, there is a lot to learn, and it seems as though the best practices are changing all the time. In this session, attendees will be walked through the pros/cons of different SBOM approaches by people who have spent over a year exploring this topic, defining best practices, and building open source solutions with SBOMs. Additionally, attendees will get a demonstration of how Paketo Buildpacks-generated application images already contain an embedded SBOM, by leveraging Syft.