tldr - powered by Generative AI

• Producing S-BOMs for Windows is a complex task that requires new tools and frameworks.
• Automation is necessary to make S-BOMs useful and enforce policies in clusters.
• Gatekeeper, based on Open Policy Agent, can be used with external data providers to enforce policies in Kubernetes clusters.
• OCI 1.1's refers API allows for the association of S-BOMs and signatures with images in registries.

tldr - powered by Generative AI

• IBOM is important for compliance and professional implications
• Legacy IT had a detailed CMDB for on-prem data centers
• Cloud infrastructure is more complex and changes faster
• Cloud Native CMDB is needed to control and see everything in the infrastructure
• Drifts are key to eliminating deviations from desired state

tldr - powered by Generative AI

• S-BOMs for containerized applications can detect unexpected changes in the contents of a software application which can indicate potential tampering, new versions, or changes in dependencies.
• Generating an S-BOM creates a snapshot of the components of a container at a specific time during the development process.
• Multiple snapshots throughout development are necessary to detect any changes that may introduce new risks.
• S-BOMs should be stored alongside the image it was generated for and published to a registry.
• The question of when to generate S-BOMs is important to consider as it can affect the detection of potential risks.

tldr - powered by Generative AI

• Understanding the order of steps in supply chain management is crucial to effectively addressing problems
• Prioritizing solutions based on the problem at hand is more effective than blindly implementing solutions
• The speaker shares an anecdote about the challenges of vulnerability scanning and the importance of building a vulnerability management system
• The speaker emphasizes the importance of having an S-bomb as the foundation of supply chain management

tldr - powered by Generative AI

• The S-BOM includes source code, container images, binaries, packages, and dependencies.
• The tool packages the S-BOM into more consumable documents for different tools to use.
• The tool also generates an attestation file for compliance purposes.
• Future directions include adding RPM and dev file analysis, merging efforts with the SPDX community, and adding validation and verification capabilities.

tldr - powered by Generative AI

• The speaker highlights the importance of using S-BOMs and container images in DevOps and cybersecurity.
• The speaker demonstrates the use of BuildKit and TUF to ensure reproducibility and repeatability in container builds.
• The speaker also discusses the need for changes in the OCI image and distribution specs to support artifact management.
• The presentation includes a demo of building and signing container images and S-BOMs using BuildKit, TUF, and Cosign.

tldr - powered by Generative AI

• Automating the matching of vulnerabilities and exploits with threat intelligence and blocking them is not feasible as customers may not trust the organization to do it.
• Not all customers know enough about their software to determine if it is safe to block something.
• Partial remediation and tracking the timeline of remediation can be challenging.
• Social graphs and tracing components may not be useful if customers do not know what to do with the information.
• Consumers in the middle of the supply chain need to decide the depth at which they can investigate something and owe answers to downstream customers and partners.
• The limits of S-BOMs and the knowledge that can be obtained from them should be considered.
• SAS providers may not provide S-BOMs for their products.