Managing Application Level SBOMs with Ortelius

The presentation discusses the importance of software supply chain security in a microservices world and how Artillios.io is addressing the issue through the use of S-bombs and CVE data.

• Artillios.io is addressing the issue of software supply chain security in a microservices world
• S-bombs and CVE data are important in tracking vulnerabilities and dependencies
• Artillios.io aggregates S-bombs and CVE data to provide a comprehensive view of an application's components and their vulnerabilities
• The use of S-bombs and CVE data saves time and resources in tracking vulnerabilities and redundancies
• The presentation suggests the need for better management of code in an assembly line and the potential for autonomous coding in the future

The speaker mentions that Artillios.io spent a lot of time with the Jenkins community to understand how to build a community and make things easy for people. One of the biggest takeaways was the importance of transparency in building a community. Artillios.io has recruited people from all over the world, including South Africa, Brazil, Chile, Pakistan, India, and the UK. The speaker also notes the challenge of tracking 20,000 containers in a microservices application and the need for better visualization or reporting of the data.

SBOMs, or Software Bill of Material reports, are finally being recognized for their importance in hardening cyber security. They play a crucial role in building transparency into the binary objects we deliver to our end users. Most of us think of an SBOM at the application level. In a microservice implementation, we generate the SBOM at the service level. This presentation will review how Ortelius, incubating at the Continuous Delivery Foundation, provides SBOMs aggregated at the ‘logical’ application level, with versioning. In addition to SBOMs, Ortelius also aggregates application level licensing and CVE reports providing the insights needed to build trust into the supply chain across the organization. Ortelius's architecture will be reviewed, showing how its versioning and dependency engine tracks updates to a container registry, which triggers the creation of new service and application versions, with continuous SBOM updates.